Patients diverted to other hospitals after ransomware locks down key software

Hollywood Presbyterian Medical Center, a hospital in Los Angeles, is the victim of what officials describe as an ongoing cyberattack. A hospital spokesperson told Ars in a prepared statement that "patient care has not been affected" by the intrusion. And an executive of the hospital told reporters that the attack was "random" and not targeted at patient records.

However, local news organizations have reported that some emergency patients were diverted to other hospitals—and that some of the hospital's systems have been locked down by ransomware. The hospital has reverted to paper patient registration and medical records, according to NBC 4 in Los Angeles, and the hospital's network has been shut down for over a week.

A spokesperson for the Federal Bureau of Investigations' Los Angeles office confirmed to Ars that HPMC had been targeted in a cyberattack, but he declined to comment further as an investigation is ongoing. The amount being demanded by the attackers to provide the key to unlock the hospital's systems has not been made public, though it has been reported to be as much as 9,000 Bitcoin—the equivalent of $3.6 million.

Crypto crosshairs

The HPMC ransomware attack appears to be part of a trend of increasingly targeted ransomware attacks against businesses and larger institutions. These are likely carried out by cybercriminals who have managed to gain access to the organizations' networks through other malware to conduct reconnaissance. The trend was the topic of a presentation by security researcher Roel Schouwenberg at last week's Suits and Spooks forum in Washington, DC.

"The targeted attacks that I'm aware of started to become more prevalent over the course of 2015," Schowenberg told Ars in an e-mail conversation following the conference. The attacks were launched by "a number of different threat actors, but it's very hard to get the full picture," he noted.

So far, the attacks have not matched the volume of "targeted network exploitation" attacks by criminals and others against businesses, Schowenberg said. But the true number is hard to judge. "Companies don't like talking about these incidents because they're worried they may escalate the situation they're in or become targets for other attackers. Folks are also concerned that talking about these attacks in a public setting will encourage more criminals to go the targeted ransomware route," Schowenberg said.

The attack on HPMC was likely the result of other malware introduced onto a computer at the hospital. "I have no operational insight into the attack at [HPMC]," Schowenberg said, "but given the targeted nature of the attack, we can safely assume there was a reconnaissance phase, which most likely involved the usage of malware of some sort."

Ransomware may simply be another way for criminals to extract a payout from a network infiltration—especially if they don't find financial data or other information that they can turn into cash. It could also be used, conceivably, to cover up the tracks of previous intrusions or to disrupt business for other reasons. And there are an increasing number of targets on organizational networks that could be disrupted by crypto-ransomware—including Internet of Things devices running common embedded operating systems.

Left to their own devices

Hospitals have in the past often become victims of malware because of the outdated software often used by some medical systems, especially embedded software found in medical devices. In a 2012 panel discussion at a National Institute of Standards and Technology security advisory board meeting, Mark Olson, the chief information security officer at Boston's Beth Israel Deaconess Medical Center, reported that malware had taken root on fetal monitors in his hospital's high-risk pregnancy ward. They were slowed so much by the malware that they couldn't properly record data. At that time, many embedded systems were running Windows 2000.

When Ars took a look at hospital IT that same year, we found most of the systems in one hospital were running Windows XP. Four years later, while many of those computers have been moved to Windows 7 or later (including Windows 8 Embedded), many hospitals still have computerized IV pumps, MRI machines, monitors, and other devices that are running on old, unpatched embedded OSes because the manufacturers have been slow to update them. The OEMs often claim they would need to get the devices entirely recertified by the Food and Drug Administration. The FDA, however, recently called out vendors on this claim. Dr. Suzanne Schwartz, the associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health, recently dismissed that assertion.

In January, the FDA published draft guidelines for medical device manufacturers. "All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation," Schwartz said. "Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market."

The presence of malware that would otherwise seem innocuous on such devices—for example, botnet malware intended for financial or advertising network fraud—could end up being a delivery vector for crypto-ransomware or laterally move to other systems more readily inhabited by ransomware. Hospitals aren't the only vulnerable institutions. There are many other businesses that may not even be aware that they are using systems based on older Windows embedded operating systems that have unpatched bugs.

HIPAA-compliant hack

HPMC's executives went public about the ransomware attack at least partly to assure the public (and regulators) that healthcare data had not been breached. If patient records had been exposed, HPMC would have faced fines from the Department of Health and Human Services for violations of privacy regulations under the Health Insurance Portability and Accountability Act (as well as possible patient lawsuits).

That's one of the advantages of crypto-ransomware attacks for attackers—they're more likely to get victims to pay up if they can assure them that their data has not been stolen because that means there hasn't technically been a breach. Most current breach notification rules only apply if personal identifying information is determined to have been filched. If organizations pay quietly, they can pretend the whole thing never happened (at least until it happens again).

There are other obvious advantages to crypto-ransomware for cybercriminals—particularly if the victims are larger organizations. Ransomware attackers are less likely to be caught because of the model used. The victim initiates payment, versus the usual routes to monetizing malware that rely on financial fraud. Using Bitcoin means that cybercriminals don't have to deal with "money mules" who convert fraudulent purchases into cash for them. And in many cases, the crypto-ransomware can be obtained as a full service through hidden service sites on the Tor anonymizing network—all attackers have to do is enter the Bitcoin wallet the payments go to, customize the message, and click a button, and out pops an executable they can deploy through their attack channel of choice.

And if an attacker has an open channel to get crypto-ransomware in, organizations have limited options when it comes to fighting back. The most obvious route, if backups are available for affected systems, is to simply restore the affected files. But with embedded computing devices and some other systems, backups may not be an option. Organizations could also use security gateways to try to block Tor traffic to prevent some crypto-malware from obtaining encryption keys, but Schowenberg notes that Tor-blocking "is not a solution to all ransomware problems"—and it might become less of a solution as attackers choose less-detectable communications methods. In some cases, companies have been able to mount an active defense with the help of law enforcement or security researchers.

But this can be a slow and expensive process. one that is problematic when time-sensitive data is involved. So, for companies and organizations without the wherewithal to reboot and restore their systems, paying up may be the least of the possible evils—especially if they can just sweep it under the rug afterward.

There's also the possibility that in the future, paying may not be an option. Some digital crime rings may attempt denial-of-service attacks on the infrastructure of competitors, making it impossible for them to collect payments—and for victims to obtain the crypto key. And given their widespread availability, DoS attacks could also potentially be used purely for destructive purposes—a subtler version of the "wiper" attacks on Sony Pictures.

"Whether they pay up or not, these attacks are costing companies a ton of money in incident response and recovery," Schowenberg said.

Most companies and security vendors have been focused on preventing breaches where data is stolen from the network, not attacks that disrupt the data in place. "They're not well-prepared to deal with this type of extremely damaging attack," Schowenberg concluded.