Hospitals have been having a tough time with ransomware lately.  Starting last month, when Hollywood Presbyterian Medical Center paid close to 17k for a ransomware decryption key, more news has been released about other hospitals being affected by ransomware. Two new stories from Malwarebytes and Brian Krebs show that hospitals are not only incredibly vulnerable to ransomware, but also prime targets.

Methodist Hospital State of Emergency
Methodist Hospital State of Emergency

Today Brian Krebs reported that the Kentucky based Methodist Hospital had declared a "Internal State of Emergency" after being infected with the Locky ransomware. According to Krebs' report, one machine became infected at the hospital, but due to network shares was able to encrypt data on other systems on the network. This led to the hospital's IT department shutting down the entire network while they brought each machine up one-by-one to scan for the infection. A tip to any IT administrators who may run into a situation like this in the future, you can check the owner of an encrypted file to determine the potential computer that is infected.

Malwarebytes also reported yesterday that the website for the Norfolk General Hospital in Canada was hacked and distributing ransomware via the Angler Exploit Kit to unsuspecting visitors. According to Malwarebytes, the way this exploit kit is configured, it would only be shown to a person once.  So if a system administrator, who visits the site often, visited the site, the kit would only attempt to attack them once. Any subsequent visits would show the site's source code as clean. Visitors, on the other hand, would continue to be visiting the site and being infected by the ransomware.

Angler Exploit Kit on the Hospital's Site
Angler Exploit Kit on the Hospital's Site

I do not believe at this time that the ransomware developers and distributors in these stories are actually targeting hospitals. They are instead looking for vulnerable sites to hack in order to spread ransomware and hospitals that were infected did so by user error. I do believe, though, that business and organizations that are heavily data and document driven will in the future be specifically targeted by ransomware developers.

Since these types of infections target documents, who better to attack then those who rely on them such as hospitals, lawyers, and architects. If any of these types of business have their documents encrypted, it could literally halt the entire operation of the company and potentially put them out of business. Even scarier, for hospitals and medical practices it literally puts the patients at risk when doctors are unable to access patient notes.

Related Articles:

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

New Brrr Dharma Ransomware Variant Released

Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program

The Week in Ransomware - September 14th 2018 - Kraken, Dharma, & Matrix

Fallout Exploit Kit Pushing the SAVEfiles Ransomware