IKARUS Ransomware Reading Time: 3 minutes

Ransomware is pretty dreadful when it hits consumer PCs and smartphones. But ransomware is also frequently being used to target organizations and institutions around the world. WannaCry’s effect on the UK NHS public healthcare system last year highlighted how harmful ransomware can be when it hits hospital computers.

This past February, I wrote about a ransomware attack on an American hospital where the target actually paid the ransom in order to restore operations:

“On January 11th, Hancock Regional Hospital in Indiana discovered that their computers had been infected with SamSam ransomware, a malware variant which has existed since early 2016. The hospital decided to pay the four Bitcoin ransom in order to get their files decrypted, which was worth around $55,000 USD at the time…

Hancock Regional Hospital is the anchor of the Hancock Health network, with several facilities in the area east of Indianapolis. The Regional Hospital itself is in Greenfield, Indiana.

When hospital workers discovered the SamSam attack on January 11th, they engaged their incident response and crisis management plan and engaged the hospital legal team and an outside cybersecurity firm. They also contacted the FBI cybercrime task force…

‘We were in a very precarious situation at the time of the attack,’ Hancock Health CEO Steve Long said. ‘With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.’”

In similar fashion, on July 15th, workers at Mahatma Gandhi Mission Hospital in Navi Mumbai, India discovered ransomware on their computers. On that day, hospital administrators found their computer systems locked, and an encrypted message demanded a Bitcoin ransom for decryption. They found that all of their data from the past fifteen days was also encrypted, and computerized billing and prescription systems were inoperable. The amount of the ransom and the strain of ransomware used has not been reported.

The Cyber Cell of Navi Mumbai police are investigating the incident. “We are trying to ascertain the Internet Protocol Address (IP) from where the email (demanding ransom) originated,” said Deputy Commissioner of Police Tushar Doshi.

Meanwhile another Indian hospital was recently hit by ransomware as well. The attack on MGM New Bombay Hospital in Vashi, India was also discovered on July 15th. The affected systems and data and the strain of ransomware haven’t been reported. The ransom demanded Bitcoin but didn’t specify an amount.

Hospital administrator P.K. Shashanker said “Around 9 PM on Sunday, a system message popped up saying that our system had been hacked and we should contact the culprits to retrieve our data. They had provided an email address, but we did not write to them and filed an FIR on Monday. Our technical team is working on retrieving the data. The hospital has not faced any financial loss.” Vashi Police are investigating.

I can’t be certain with limited information, but I suspect that the attacks may be connected and deployed by the same cyber attackers. Both attacks were discovered on July 15th, and both targeted Indian hospitals.

There are reasons why hospitals are often ransomware targets. Stu Sjouwerman of Cybersecurity firm KnowBe4 said “If you have patients, you are going to panic way quicker than if you are selling sheet metal. (Hospitals) have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general.”

Sjouwerman also says that American hospitals are often focused on HIPAA compliance for medical data privacy instead. HIPAA compliance and protecting medical data is important. But so is teaching hospital staff not to open email attachments from unfamiliar entities and properly securing Remote Desktop Protocol implementations, two frequent vectors of ransomware attacks. Data privacy, ransomware prevention, why not do both?

Sjouwerman continued, stating that security awareness training for staff is quite feasible and is worth the effort. “You can actually truly get a dramatic decrease in click-happy employees. You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.”

Ransomware Attacks

Ransomware Protection Software