Updated: More Hospitals Felled by Ransomware

male hand pressing defeated key button
Three more U.S. hospitals revealed that ransomware had encrypted data on systems within their network, part of an ongoing epidemic of ransomware attacks.

In-brief: Hospitals in Kentucky and California were the victims of ransomware early this week – more evidence of a sustained campaign of extortion malware attacks. (Editor’s note: This story was updated to include comment from affected hospitals. – PFR March 24, 2016)

The website Krebsonsecurity is reporting that’s Kentucky’s Methodist Hospital was on lockdown early this week after an outbreak of the Locky ransomware encrypted data on a number of systems at the facility.

The Henderson, Kentucky-based facility said it was experiencing an “internal state of emergency” as a result of a computer virus. The news came amid reports by the BBC that two California hospitals: Chino Valley Medical Center and Desert Valley Hospital had also experienced outbreaks.

[Read more Security Ledger coverage of ransomware.]

Neither Methodist Hospital nor Prime Healthcare Services, which operates Chino Valley and Desert Valley hospitals, responded to requests for comment prior to publication.

In a statement, Prime Healthcare spokesman Fred Ortega said that no ransom was paid in either case.

“Our in-house IT team was able to immediately implement protocols and procedures to contain and mitigate the disruptions. The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised. As of today most systems have been brought online,” Ortega wrote in an e-mail to Security Ledger.

In a published statement, Methodist Hospital said that it also did not pay a ransom.  “The issue has been resolved and the system has been up and running since Monday, March 21st,” the hospital said. There also, the facility’s Information Systems Department “responded quickly to the virus and immediately shut down the system to contain the virus and to prevent it from spreading.”

The hospital said it reported the incident to the Henderson Police Department in Kentucky and to the FBI, which are investigating.

Locky is a new variant of ransomware that first appeared on February 16, according to the security firm Symantec. It spreads mostly via email messages, disguised as Microsoft Word file attachments, posing as invoices and other official documents.

Once opened, the malware quickly infects files on the local machine and spiders any network connections from that victim machine, infecting any data and systems it can access. The malware is notable for adding a .locky file extension to the files it encrypts.

According to the Krebs on Security report, the Methodist Hospital data was held ransom for 4 Bitcoin, slightly over $1,600. Ransoms as low as .5 and 1 Bitcoin are not uncommon.

Ransomware infections have been spreading quickly. Small hospitals are particularly vulnerable because they often lack the tools and information technology staff and expertise to fend off such attacks.

In a recent conversation with Security Ledger, Kevin Fu, a professor at the University of Michigan and an expert on healthcare security, said that many attacks on small healthcare facilities are akin to “breaking down an opened door.” Social engineering attacks that result in ransomware infections are just one manifestation of that problem, he said.

In the meantime, Methodist Hospital said it is in the process of “restructuring its network” to “minimize the potential area of infection should a similar incident occur in the future.” The hospital said it has “been in contact with its spamware and antivirus providers.”