Ransomware attack hits MedStar Health, network offline

MedStar Health, which calls itself the largest healthcare provider in Maryland and Washington, D.C., was forced to disable their network on Monday after an alleged Ransomware attack infected several systems.

According to a statement from MedStar, early Monday morning, their network was “affected by a virus” preventing certain users from logging-in to their systems.

MedStar operates 10 hospitals and more than 200 outpatient offices in the Maryland and Washington, D.C. area.

“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning. We have no evidence that information has been compromised. The organization has moved to back-up systems [and] paper transactions where necessary,” the MedStar statement concluded.

The FBI is said to be looking into the incident.

Last week, the FBI asked the public for assistance in an industry Flash Advisory. The advisory asked for victims of the MSIL/Samas Ransomware families to contact the agency’s CYWATCH center if they believe they’ve been attacked or have additional information to share. This particular family of Ransomware targets JBOSS installations, and was first referenced by the FBI earlier this year.

It isn’t clear if Samas is the malware that forced MedStar offline, but comments made by the medical group’s staff point to a Ransomware infection.

Speaking on the condition that their name not be used, a hospital staffer relayed a story from another employee about a pop-up that appeared on a computer warning of infection and demanding payment.

Similar anonymous comments were given to the Washington Post by an employee who stated the pop-ups demanded a ransom in “some kind of internet currency.”

Officially, MedStar has not confirmed a Ransomware infection, nor have they responded to comments seeking clarification. This story will be updated if they confirm or deny a Ransomware infection.

“Even though it has not been officially acknowledged by MedStar Health, chances are high that they had been infected by ransomware, the 2016 plague which seems to be targeting a lot of critical infrastructure like hospitals recently,” commented David Melamed, Senior Research Engineer at CloudLock.

In the last few weeks, Ransomware has hit a number of medical organizations including the Hollywood Presbyterian Medical Center, the Chino Valley Medical Center, the Desert Valley Hospital, and Methodist Hospital in Henderson, Kentucky.

“Such targets are particularly vulnerable because they cannot afford to be paralyzed for a long time (either because their data has been encrypted or because they shut down the system to avoid spreading the infection) and prefer to pay the ransom,” Melamed added.

In the case of Hollywood Presbyterian, the organization paid $17,000 in ransom in order to restore their systems.

Methodist Hospital refused to pay ransom and restored systems from backups. It isn’t clear how the other two hospitals (owned by Prime Healthcare Services Inc.) recovered from their incidents.

For now, MedStar is using paper to process patients, and staff report that they’re having trouble accessing patient records. Communication between staff is either face-to-face or via phone.

In addition to delays in record searches, it’s also possible that appointments and surgeries will have to be delayed too, as will lab results, one medical professional told the Washington Post.