Without detailed forensic analysis, CTRL Group has made the assumption that the Hospital has been the victim of a very common ransomware attack, often referred to as cryptolocker. These attacks are usually delivered via a link in an email, that once clicked, installs malware on the user’s computer. This malware will then start encrypting files so they will not be accessible to anyone without a decryption key. Typically a text screen pops up on the user’s computer asking for a small (~350 USD) ransom to release the key.
“Crime syndicate hack 15,000 medical files at Cabrini Hospital, demands ransom.”
Whilst ransomware attacks are incredibly common and form the majority of reported cyberattacks, they can be avoided through staff awareness training and managed security services which will block the emails and their payload in the cloud. However, they can be crippling to the operations of an organization if they get through.
There is no reason to believe that this was a specifically targeted ransomware attack, most likely random and opportunistic. This being said that without forensic analysis of the email received, the link that caused it, the machine infected and the other systems on the network, it cannot be guaranteed that there hasn’t been a data breach. A malware payload can also include a bunch of other nasties. Paying the ransom is risky as there is no guarantee that the files will become available. It seems this is what has happened to the Cabrini Hospital.
Ransomware is known and unfortunately difficult to avoid. User awareness training is the first step to avoiding these issues. Cloud security services including secure email gateways and security operations centres (SOCs) that monitor inbound traffic and end-user behaviour are the best pre-emptive solutions.
But once the bug has bitten, organisations have some tough choices to make. The best thing would be to refer to their Cyber Incident Response Plan – which very few organisations have, and many of those have never tested them. The plan would answer the following:
- Who needs to be on the incident response team?
- Can we revert to the most recent backup of the encrypted files?
- Do we notify AusCERT? The Police?
- Do we need legal advice?
- Do we pay the ransom and hope for the best?
- Have our systems been compromised including information of our employees and customers?
- Do we notify the privacy commissioner?
- Do we notify potentially impacted individuals?
- What do we tell the shareholders?
To quote Robert Redford in 2001’s Spy Game – “When did Noah build the Ark? Before the rain.” The only way to reduce the damage from this kind of incident is to be prepared and handle them well.