Skip to content

Illustration by Steve McCracken 

Patient Zero

It was like going back in time. Instead of using an electronic records system to access patient data and update charts, MedStar Health staff did medical rounds using good, old-fashioned paper and pencil.

The reason? Ransomware had compromised the $5 billion health-care provider that operates 10 hospitals and more than 250 outpatient facilities in the Washington, D.C., region, serving thousands of patients and employing more than 30,000.

While exact details were not released before Security Management’s press time, attackers hit MedStar on the morning of March 28, launching an attack that prevented certain users from logging in to its systems.

“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” MedStar spokesperson Ann Nickels said in a statement. “We are working with our IT and cybersecurity partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”

MedStar also reassured stakeholders that it believed no patient data had been compromised, and that it was working with its cybersecurity partner—Symantec—and the FBI to find out exactly how attackers gained access to its systems. 

Through this effort, MedStar was able to keep its doors open and bring its systems back up “in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners,” it said in a statement.

The ransomware attack on MedStar is just one of a string of recent attacks on the healthcare industry. In March, attackers took the computers of Hollywood Presbyterian Medical Center in Los Angeles hostage for more than a week until officials paid the ransom, approximately $17,000 in Bitcoin.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Hollywood Presbyterian President Allen Stefanek in a statement. “In the best interest of restoring normal operations, we did this.”

Ransomware is a form of malware that attackers use to infect a computer or network, encrypt its data, and then demand payment—the ransom—from victims to decrypt the data. If victims don’t pay up, the data will remain encrypted or may be deleted.

Attackers have been using it to compromise healthcare systems in the United States, Germany, Canada, and France, according to research by Security Management. This raises the question: Why are hospitals such lucrative targets for ransomware?

James Carder, CISO of LogRhythm and former director of security information for the Mayo Clinic, says he thinks it’s because healthcare is “so far behind the times” when it comes to cybersecurity. 

“If you just think about the core business of what a hospital does, they are there to treat sick people—treat patients,” he explains. “They think of security from a physical security perspective…the cybersecurity world is nothing that they’ve actually planned for. If you look at their IT infrastructure, they’re all built around supporting patient care and they have never made that connection with cybersecurity being directly connected to patient care.”

Instead, an emphasis is placed on making patient data available at all times and on remaining compliant with the Health Insurance Portability and Accountability Act (HIPAA). “The focus is on patient care and having access and availability of records, more so than securing the records,” Carder adds.

Couple this attitude towards cybersecurity with the large amounts of data that healthcare institutions use on a daily basis and the large resources most hospitals have, and you have a prime target for a ransomware attack, says Dan Holden, director of Arbor’s Security Engineering and Response Team (ASERT).

For attackers, “the great part about these commercial entities is they can get so much more,” Holden explains. “Rather than carrying on a campaign for $25, if you go through the investment to find serious targets in hospitals…the likelihood that you’re going to get paid is likely to be higher.”

This incentivizes hackers to go after hospitals because they are “the soft underbelly in terms of market,” Holden explains, giving them a high return on investment (ROI) for their efforts. And it doesn’t matter if the hospital is in the United States or in Europe, because all of them depend on having access to their data to serve their patients.

“The financial state of the country doesn’t necessarily matter,” Holden says. “You know they are going to have to depend on that data. From an ROI standpoint, it’s a good investment.”

Ransomware itself is also becoming more sophisticated, allowing it to infect a victim’s network more easily than in the past, according to Craig Williams, senior technical leader and security outreach manager for Talos, a threat intelligence organization owned by Cisco.

“Earlier ransomware required a human to spread,” he explains. “They had to have someone go to the website, see a malicious ad, or get an e-mail and click on it and run the e-mail attachment; they all required user interaction.”

SamSam, a new type of ransomware, however, does not. Instead, it combines network-based vulnerabilities with a ransomware payload. This means that the ransomware can target and penetrate a network when no one’s there.

SamSam works by exploiting well-known vulnerabilities—some up to nine years old—on unpatched systems. During the initial compromise, attackers conduct manual reconnaissance to locate systems they’d like to target with ransomware. They program what they would like the malware to perform, and it works without requiring an active command and control.

In plain English, “the way you can think of ransomware operating previously is they needed someone to unlock the door,” Williams says. “SamSam is the first piece of ransomware that can open the door for itself.”

SamSam first came on the scene in December 2015 when it was used in a gaming industry campaign. Williams says he thinks this was a trial run to make sure it was an effective form of ransomware. 

However, it wasn’t until mid-February 2016 that Talos began seeing significant growth of the use of SamSam, with an “explosive growth period” in April. And Talos is continuing to see those high numbers, Williams adds.

“Talos did a small scan of the Internet, and, based on our preliminary findings, it appears that there are around 2.1 million vulnerable servers on the Internet right now,” he explains. “That’s a bad number.”

The FBI has also acknowledged the rise of SamSam, sending out a confidential “Flash” advisory on March 25, obtained by Reuters, requesting help from businesses and software security experts in investigating the new form of ransomware. 

“Friday’s FBI alert was focused on ransomware known as [SamSam] that the agency said seeks to encrypt data on entire networks, an alarming change because typically, ransomware has sought to encrypt data one computer at a time,” Reuters reports.

Security Management reached out to the FBI to discuss the advisory, but the Bureau declined to be interviewed for this article.

And while the healthcare industry is on high alert and beefing up its cybersecurity due to the string of recent ransomware attacks, Williams says he’s concerned that the attacks aren’t going away anytime soon. This is because attackers have built SamSam to make use of several different vulnerabilities that require companies to complete a variety of patches on their systems.

“The reality is, once people do start applying these patches the attackers will simply rotate in a new vulnerability to exploit,” Williams says. 

Also aiding the attackers is that they are implementing best practices in customer service to make sure their victims pay the ransom, instead of just using a back-up or losing their data.

With SamSam, attackers are offering bulk discounts to decrypt data. In a case documented on Talos’s blog, a ransomware victim bought one key to decrypt his data and then came back and bought a second key for a lower price. The victim did this because the ransomware encrypted multiple machines, requiring separate decryption keys for each machine to decrypt the data.

“What’s really interesting about this is that the attackers apologized for delaying posting the key, which goes back to the problem these ransomware authors have of gaining victims’ trust,” Williams explains.

Also unique to the recent rise of SamSam is that attackers appear to be continuously upping the amount that they are charging victims to get their data back. 

“We don’t see that normally,” Williams says. “What that tells me is they don’t fully understand the value of their data, and they’re trying to experiment to see exactly how much people will pay them.”

This presents a problem for customers because the more people who pay the ransom, the higher the ransom will go until the attackers reach a period of diminishing returns, he adds. 

Additionally, Williams says he’s concerned when he hears reports of businesses paying the ransom—as Hollywood Presbyterian did—because there’s no way to know if their data’s integrity is intact.

“There’s no reason an attacker couldn’t have tampered with medical records or engineering design documents, or other things that could have a very significant impact to the world when they release the files to you,” he explains. “Without the ability to verify your data’s integrity, users need to be very cautious when trusting that data.”

Despite the bleak outlook for the healthcare industry, the best ways to prevent a ransomware attack continue to be patching systems regularly to keep them up to date, creating cybersecurity awareness training for employees, and having reliable back-ups that are tested, says Lysa Meyers, security researcher at ESET.

“You test it and make sure that it’s actually functioning,” she explains. “If you have a back-up and it’s not functional, that’s not a good back-up…this trend of ransomware could disappear in a short period of time if more businesses started doing back-ups.”

And having a good back-up system is something hospitals tend to do well, Carder says, because of their crisis management planning. 

“Hospitals do things around: what if a core infrastructure goes down, how would you actually respond?” he says. For MedStar, it responded by using paper and pencil instead of its electronic systems to provide service. 

“It kind of takes it back a number of years, but the good news is—at least for MedStar—that they had some type of plan that they could go to if the IT infrastructure went down,” Carder explains. “They could revert back to that, if needed, to treat patients.”