Canada:3 Ontario hospitals recover from ransomware attack

The Ryuk malware is known to store a ransom note in infected computers./CBC

The impact of the malware attack has been wide-ranging for the three affected hospitals, located in Toronto and southwestern Ontario. Email systems were taken offline, health-care records became harder to access and patients were warned of longer wait times.

By CBC News

A Toronto hospital is recovering after being hit last week by a variant of Ryuk ransomware CBC News reports.

However, so far it seems the malware was only trying to exfiltrate data instead of demanding money

Michael Garron Hospital chief executive officer Sarah Downey told CBC News that the hospital’s firewall stopped data from leaving the institution. However it isn’t clear if the malware was stopped before installation or after.

In an interview, hospital spokesperson told IT World Canada that “we haven’t been in contact with anyone about paying a ransom.”

The attack started in the early hours of Sept. 25 when what it calls a virus was discovered on one of the IT systems. As a result several systems were closed to prevent the malware, later identified as a Ryuk variant, from spreading.

Patient privacy has not been compromised, the hospital said. However, as of this morning it is still in what the institution calls a Code Grey, which means some systems including email are disrupted. The Emergency Department is running, but some services and patient appointments were canceled. Some departments have had to resort to doing things by paper.

“While we hope these types of situations never take place, our expert hospital teams prepare for all issues and we have extensive processes in place to respond quickly when experiencing disruptions in clinical services,” Downey said in a statement. “We want to reassure our community that all current patients at MGH continue to receive safe, high-quality care from our health care teams.

“Our priority is to restore full computer functionality as quickly as possible and we apologize to the small number of patients whose care has been re-scheduled. I am so grateful to our staff, physicians, leaders and volunteers who have worked exceptionally hard and put in extra hours during this time to ensure safe, quality care to our community.”

Michael Garron Hospital until recently was called Toronto East General Hospital, and is one of the largest in the city. The emergency department alone sees about 80,000 patients a year.

How they operate

Hackers will use the Ryuk malware to attacks computer networks but remains invisible to average users for weeks or months.

During that time, it collects information about the organization and its perceived ability to pay a ransom.

Ryuk then locks files, demanding the network owner pay a sum of money to make them accessible again.

The criminals behind the attack “will learn how you operate from A to Z… then they’ll hit you,” Zohar Pinhasi, a Florida-based cyber counterterrorism expert told CBC News. He said it’s likely other Canadian hospitals are affected and haven’t yet detected it.

“If you get hit by them, it would be devastating.”

According to a blog earlier this year from security vendor CrowdStrike, Ryuk ransomware began appearing in August 2018. Controlled by a group it dubs Grim Spider, Ryuk has been targeting large enterprises. CrowdStrike says Ryuk was derived from the Hermes commodity ransomware, which can be bought on dark forums. However, researchers believe Ryuk is only used by the Grim Spider group.

CrowdStrike believes that the initial compromise often comes after a victim clicks on a link or a document in an email that downloads the TrickBot or Emotet trojans. But note that in June the U.K. National Cyber Security Centre published an advisory that pointed out often Ryuk isn’t spotted by victims until after some time following the initial infection, ranging from days to months.

That allows the threat actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems.

But, the advisory notes, it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.

In the first four months since Ryuk’s appearance the threat actors operating it netted over 705 Bitcoins across 52 transactions for a total current value of US$3,701,893.98, said CrowdStrike. Payouts have been going up ever since. According to one news report in June alone Florida municipalities hit by Ryuk paid out more than US$1.1 million dollars.

“Hospitals, unfortunately have software that is hard to upgrade,” he said.

Hard to beat

It’s unclear who’s responsible for the recent string of Ryuk attacks. Cybercrime analysts and specialized bloggers have suggested several criminal groups have been mounting such attacks and that the malware itself may originate from Russia.

The name “Ryuk” itself is taken from a Japanese comic book character who “cannot be harmed by conventional human weapons,” according to a description on the industry website Comic Vine.

It seems the malware can’t easily be beaten, either.

Adam Mansour, a cybersecurity expert with IntelliGO Networks in Toronto said system administrators usually have to “reimage” computers to reset them to their previous configurations from before the ransomware attack to restore full functionality.

He warns, though, it doesn’t always work. “We’ve seen a lot of cases where just reimaging… is really just delaying the inevitable, which is that (the malware) will come right back.”