At 2 a.m. on May 20, computer screens at Erie County Medical Center (ECMC) in New York flashed white with bright red words: “What happened to your files?” Then ransom demands began with hot pink text: “Step 1: You must send us 1.7 BitCoin for each affected PC OR 24 BitCoins to receive ALL Private Keys for ALL affected PC’s.”
Hackers had encrypted the hospital’s files and wanted the equivalent of $44,000 to provide a key to unlock them.
Many businesses quietly pay ransoms, but one of the first decisions made at ECMC, with advice from a cybersecurity expert and law-enforcement authorities, was to refuse to do that, according to an article posted on the Security InfoWatch website. Among the reasons:
ECMC had access to a tape backup to restore files, as well as to HealthLink, a regional system for sharing health information electronically among hospitals and doctors. During the attack, the hospital provided critical departments, such as the emergency room and the intensive care unit, with borrowed laptops with ad hoc internet access. Through HealthLink, doctors and nurses could view patient records that existed up to the date of the attack.
Hospital officials also voiced concern that the perpetrators might not provide the key after receiving the money. And even with a key to decrypt the system, how could the hospital be certain everything was OK?
Ransomware commonly spreads by conning a person into clicking a link or downloading an email attachment that looks like a message from a friend or institution, such as a bank requesting verification of a password. Attackers also search the internet for vulnerabilities––systems without updated software security patches, for example.
But the ECMC case was different, the article says. Officials believe hackers used an automatic program that antivirus software could not recognize to exploit a hospital web server that was accessible remotely and that should have been configured differently to prevent an incursion. The hackers then applied “brute force” computing––trying millions of character combinations to identify a relatively easy default password to gain entrance into the hospital’s system.
Officials also believe that the hackers randomly accessed the ECMC server approximately one week before the ransom notes arrived using a variant of ransomware known as SamSam.
Once the hackers had breached the perimeter, it’s believed a person logged in and manually searched the hospital’s files. The intruders then encrypted files in a way that made it more difficult to recover data before they issued the ransom note.
“This attack was in our top 10% in terms of sophistication, and the manual intervention with someone poking around was unusual,” said cybersecurity expert Reg Harnish.
SamSam, which targets vulnerabilities in servers, is responsible for other attacks, including a major ransomware incident last year at 10-hospital Medstar Health in Maryland, according to the article.
In the latest case, it took ECMC weeks to restore its computer system, one device at a time.
Source: Security InfoWatch; May 22, 2017.