The Emerging Threat of RansomwareApril 12, 2016 | | |
Ottawa Hospital in southeast Ontario, Canada; Hollywood Presbyterian Medical Center in Los Angeles; Lukas Hospital in the German city of Neuss; the California law firm Ziprick and Cramer LLP; solo law practitioner Paul Goodson; and the town of Plainfield, New Jersey all have something in common: they learned about the cyber threat posed by ransomware the hard way. Each of their computer systems was locked up by hackers seeking a ransom payment in exchange for unlocking vital data.
Ransomware is a unique type of malware that seeks not to steal data from a computer system, but rather, sets out to block users from accessing information stored in their systems. Any business that utilizes computers to store data that is essential to day to day operations is vulnerable to a malware attack. In the case of a ransomware attack, it does not matter that a business does not store any personal financial information or health data on its systems—all that matters is that computers are needed to keep things up and running.
Ransomware can be unintentionally and unknowingly downloaded when visiting malicious or infected/compromised websites. It can also get into a system through other malware inserted onto a single user’s computer or, more commonly, downloaded by an unwitting user opening an attachment to spam email. Each one of these routes of attack relies on lack of discipline by curious computer users and highlights the need for organizations to exercise care in visiting websites and opening suspicious email attachments, or avoiding anything that just does not seem right.
There are generally two types of ransomware: one locks up a system’s computer screens and the other seeks out and ties up files that are likely to be important such as documents, data bases and spreadsheets. In either case, all known attacks have been accompanied by a demand for payment, usually in electronic currency such as bitcoins. TrendMicro, an IT security company has published an excellent history of the evolution of this threat as it migrated from Russia to a matter of global concern.
A brief review of the recent attacks listed above illustrates the pervasive and insidious nature of the ransomware threat:
Ottawa Hospital: In March 2016, the Ontario based hospital announced that four of its computers had been infected with the WinPLock variant of ransomware. Fortunately, hospital IT immediately isolated and wiped the four computers, thus resolving the situation without the need to pay ransom. The hospital also noted that it maintains an enterprise backup system which ensures that it has ready access to all data and systems in the event of this type of attack.
Hollywood Presbyterian Medical Center: In mid-February 2016, administrators at this 434-bed medical center discovered that they had lost access to parts of the facility’s computer system. Patient records, billing information and all other data was locked down by the attack. Initial reports indicated that the hackers responsible demanded 9,000 bitcoin (about $3,000,000.00). After ten days of being forced to operate by writing down patient orders, having limited access to patient notes and communicating via fax, hospital administrators agreed to make a payment of 40 bitcoin ($17,000.00) to regain control of their operating systems. It remains unclear whether the hospital alerted authorities prior to agreeing to make the ransom payment.
Lukas Hospital: One day in February 2016, staff at this German hospital noticed that computer systems were responding sluggishly and error messages were suddenly appearing in response to routine operations. The hospital’s IT department immediately suspected a malware attack and “pulled the plug” to take the entire operation offline—individual computers, the main server and even the email server were shut down. Weeks later, while no formal ransom demand had been presented to the hospital, pop-up messages consistent with ransomware continued to appear. Authorities had been notified and were investigating this and another similar attack on a second regional hospital. While the Hospital’s website continues to be up and running, several weeks passed before the malware was purged from the system and administrators were left with a significant backlog of handwritten notes that needed to be entered into the system in order to bring records up to date.
Law Firm Attacks: Solo practitioner Paul Goodson and the Redlands, California firm of Ziprick and Cramer LLP were also recently attacked by ransomware that deprived them of access to client files. Goodson attempted to pay the very modest $300.00 ransom demanded of him but failed to do so within the 36 hour time limit set by the ransomware, which then deleted all of his files. The Ziprick firm declined to pay the ransom, alerted authorities and notified clients of the security breach. Fortunately for the firm, minimal data was lost due to it maintenance of a robust back up system for all files.
Plainfield, New Jersey: On March 21, 2016, the Washington Post reported that the City of Plainfield had been the latest municipality hit with ransomware, as three servers containing a variety of memoranda, city newsletters and official files were rendered inaccessible. The hackers responsible demanded 650 euro, payable in bitcoin, to release the files. When law enforcement was notified, the hackers disappeared and the City was left to muddle on without access to these files. Similar attacks have been launched against Ilion, New York and the Melrose Massachusetts police department, the latter paying slightly under $500.00 in bitcoin to regain access to its systems.
To date, while some ransom demands have been shockingly large, actual payments accepted to release locked-up systems have been relatively modest. There is, however, no guarantee that this will remain the case—in fact, the FBI’s Internet Crime Complaint Center indicates that in 2015 it received nearly 2,500 reports of ransomware attacks in which victims paid in excess of $24,000,000.00 to secure access to their own data.
More alarming is a February 2016 report issued by Independent Security Evaluators entitled Hacking Hospitals, suggesting that hospitals are focused on HIPAA compliance to the exclusion of potential vulnerability to cyber-attacks that do not seek to steal patient data. According to the report, testers were able to hack into one hospital’s back-end systems through an information kiosk in the hospital’s lobby. In another instance, staff carried potentially damaging software into a hospital on memory sticks accepted from an unknown source. Thus, those complementary USB sticks, which have become frequent free handouts, might actually contain files that can corrupt computer systems.
Medical facilities’ failure to expand their concerns with cyber security beyond HIPAA could put vital systems such as fire alarms, and equipment such as x-ray machines and defibrillators at risk and threaten patient health and safety. Indeed, similar threats exist to virtually any business (even the airline and automotive industries) and failure to maintain vigilance, discipline and adequate security systems could put both the business and its customers/patients at risk.
- Steven Shapiro
- Marc S. Ullman