Three more hospitals hit with ransomware attacks

Wham, bam, bam – three more hospitals have been hit with ransomware.

Kentucky hospital hit with ransomware

David Park, COO of Methodist Hospital in Henderson, Kentucky, told WFIE 14 News that after attackers copied patients’ files, locked those copies and deleted the originals, the hospital notified the FBI. The attack happened on Friday after the ransomware made it past the hospital’s email filter; by Monday, Methodist officials said their system was “up and running.”

Brian Krebs reported the hospital had posted a scrolling red “internal state of emergency” banner on its website. Park told Krebs the hospital hadn’t ruled out paying the ransom, but he told WFIE the hospital didn’t pay it. The ransom, according to Krebs, was four bitcoins which was equal to about $1,600.

The initial infection was an “opportunistic attack” that came via spam email about invoices which tricked the recipient into opening the attached file. The ransomware attempted to spread across the “entire internal network” and successfully compromised “several other systems,” according to Krebs, before Methodist “shut down all of the hospital’s desktop computers, bringing systems back online one by one only after scanning each for signs of infection.”

Two more California hospitals hit with ransomware attacks

Two southern California hospitals were also hit with cyberattacks on Friday, according to Healthcare Finance. The affected hospitals were Chino Valley Medical Center and Desert Valley Hospital, which are part of the national hospital chain Prime Healthcare Services. The malware attack “disrupted servers” and resulted in “some IT systems” being shut down so the infection wouldn’t spread.

Prime Healthcare spokesman Fred Ortega said the FBI had been contacted, but refused to say if the malware was ransomware or what ransom was being demanded. Instead, Ortega compared the malware-infecting attack to being “similar to challenges hospitals across the country are facing.”

How similar…as in a “similar case” such as when Hollywood Presbyterian Medical Center was the victim of a ransomware attack and paid the $17,000 ransom in bitcoins? Ortega might not admit the “malware attack” was a ransomware attack, but an insider source told the Los Angeles Times that it was indeed ransomware; the ransom amount has currently not been reported. Ortega followed up by saying “nothing was paid and no patient or employee data was compromised.”

Ortega added, “The concern now is to let law enforcement do their thing and find the culprit.” Besides the FBI, “data security experts and the California Department of Public Health” are involved in the case.

Prime Healthcare was quick to note that no patient records were compromised. Healthcare Finance mentioned that Prime Healthcare, which runs 42 hospitals in 14 states, has been in “trouble over lapses on patient privacy in the past;” it paid a $275,000 settlement in 2013 to “resolve a federal investigation involving a breach of patient confidentiality” – one of Prime’s hospitals had “shared a woman’s medical files with journalists and sent an email about her treatment to all hospital employees.”

Growing threat and big booming business of ransomware

Ransomware is “definitely a growing threat,” Special Agent Chris Stangl, a section chief in the FBI cyber division, told The Washington Post. This seems to echo an OTA ransomware report about cybercrooks cherry-picking businesses with more valuable data in order to extort the most money. Organizations are often paying the extortion amount. As Stangl put it, “Success breeds more activity.”

Recently both the FBI (pdf) and Microsoft have issued warnings about the growing threat of Samas ransomware which encrypts files on machines as well as those shared on a company’s network.

“Ransomware has been around for a long time, but we’ve never seen a concerted manual effort by hackers to break into a network, hang out for a year, spread to all the machines and then install it everywhere,” added Val Smith, chief executive of Attack Research. “This is a major shift in effort.”

Smith was among the experts blaming recent ransomware attacks on Chinese state-sponsored hackers; he told Reuters that “some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.”