FYI.

This story is over 5 years old.

Tech

Months After Hacks, DHS Sends a Warning About Hospital Ransomware

On Thursday, US-CERT published an alert about ransomware hitting hospitals. But is it too little, too late?

Since February, at least a dozen hospitals have been affected by ransomware, malware that encrypts a victim's files until they cough up a bounty to the hackers. Many, if not most, of these attacks have been in the US, hitting hospitals in Los Angeles, Kentucky, and a large, multi-hospital network that serves the Washington, DC, and Baltimore area.

In response, US-CERT, the country's Computer Emergency Readiness Team, issued an alert on March 31 warning potential victims of the risks, and how to protect themselves.

Advertisement

But, considering that some hospitals have already had to divert emergency services, push high-risk operations to future dates, and even turn away some patients, is the alert too little, too late?

"In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany," reads the alert, which was also written in collaboration with the Canadian Cyber Incident Response Centre (CCIRC).

US-CERT is part of the Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC), and, among other tasks, coordinates sharing of information on cybersecurity threats. Many countries have their own CERT, such as CERT-UK for the United Kingdom, and Q-CERT in Qatar.

"It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files," the US-CERT alert continues.

US-CERT also mention the ransomware Samsam, otherwise known as Samas. Samsam is innovative in that it targets vulnerable servers, relying on a gullible worker downloading a malicious email attachment, for example.

Craig Williams, senior technical leader from research group Talos, which is part of cybersecurity company Cisco, recently told Motherboard that his team had received numerous reports of hospitals being targeted by Samsam, and that tens of thousands of servers were currently vulnerable to the same issues that the Samsam attackers were leveraging. Talos is working with the FBI on a current investigation into Samsam and hospital infections.

Advertisement

The US-CERT alert goes on to lay out the various forms of impact a ransomware attack might have: loss of files, disruption of operations, financial loss, and potential harm to an organization's reputation.

"Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed," the alert warns.

Finally, US-CERT provide some counter-measures: backing up data, keeping software up to date, restricting users' permissions to install software, and others.

None of that is particularly surprising, especially because this alert comes amid a rash of ransomware attacks on hospitlas. Public details of Samsam, including which software it targeted, were published by researchers on March 23, and ransomware attacks on hospitals had already gained massive media attention in February. That, and the FBI had already sent out two of its own alerts concerning the particularly pernicious Samsam; one back in February and then another, more urgent one dated March 25, asking the private sector for assistance.

With something as urgent as malware targeting hospitals, surely time was of the essence for US-CERT.

"The US CERT and ICS CERT both operate in a highly visible capacity. This visibility sometimes means that public relations, policy, and legal staff members get involved in the processes of releasing information," Robert M. Lee, a former US Air Force cyber warfare operations officer as well as the founder and CEO of Dragos Security, told Motherboard in a Twitter message.

"These staff are not the most educated on cyber security. Ultimately any high profile case, especially those in the media, is far less likely to achieve timely information and disclosure," he continued. "While the analysts are generally great there is a widely held critique of these organizations acting more as late-to-the-party echo chambers than first hand sources of information whenever non-analyst staff get involved."

US-CERT did not immediately respond to a request for comment.