Hospitals have been having a tough time with ransomware lately. Starting last month, when Hollywood Presbyterian Medical Center paid close to 17k for a ransomware decryption key, more news has been released about other hospitals being affected by ransomware. Two new stories from Malwarebytes and Brian Krebs show that hospitals are not only incredibly vulnerable to ransomware, but also prime targets.
Today Brian Krebs reported that the Kentucky based Methodist Hospital had declared a "Internal State of Emergency" after being infected with the Locky ransomware. According to Krebs' report, one machine became infected at the hospital, but due to network shares was able to encrypt data on other systems on the network. This led to the hospital's IT department shutting down the entire network while they brought each machine up one-by-one to scan for the infection. A tip to any IT administrators who may run into a situation like this in the future, you can check the owner of an encrypted file to determine the potential computer that is infected.
Malwarebytes also reported yesterday that the website for the Norfolk General Hospital in Canada was hacked and distributing ransomware via the Angler Exploit Kit to unsuspecting visitors. According to Malwarebytes, the way this exploit kit is configured, it would only be shown to a person once. So if a system administrator, who visits the site often, visited the site, the kit would only attempt to attack them once. Any subsequent visits would show the site's source code as clean. Visitors, on the other hand, would continue to be visiting the site and being infected by the ransomware.
I do not believe at this time that the ransomware developers and distributors in these stories are actually targeting hospitals. They are instead looking for vulnerable sites to hack in order to spread ransomware and hospitals that were infected did so by user error. I do believe, though, that business and organizations that are heavily data and document driven will in the future be specifically targeted by ransomware developers.
Since these types of infections target documents, who better to attack then those who rely on them such as hospitals, lawyers, and architects. If any of these types of business have their documents encrypted, it could literally halt the entire operation of the company and potentially put them out of business. Even scarier, for hospitals and medical practices it literally puts the patients at risk when doctors are unable to access patient notes.