Attacks/Breaches
12/11/2012
09:36 AM
50%
50%

Hackers Hold Australian Medical Records Ransom

With no offline backups available, Australian medical center must choose: pay $4,200 ransom or attempt to do business without patient records.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
An Australian medical clinic's patient records have been forcibly encrypted by attackers, who are demanding $4,200 to decrypt the data. The Miami Family Medical Center, located in the Australian state of Queensland, has taken the encrypted drive offline and refused to pay the ransom demand.

Australian news reports have suggested that Russian hackers are behind the ransom demand, but exactly how they cracked the clinic's network remains unclear. "We've got all the antivirus stuff in place -- there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," clinic co-owner David Wood told Australia's ABC News.

But keeping the clinic running smoothly has been "very, very, very difficult" since the thousands of patient records are now inaccessible, he said. "What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he said.

Information security expert Nigel Phair, who's the director of Australia's Center for Internet Safety, told ABC News that the attacker's low ransom price reflects a high-volume business model, in which hackers will hold as much data for ransom as possible, and set a price that they think the majority of victims will pay.

[ Social engineering is the oldest trick in the book. See Royal Security Fail: 'May I Speak To Kate?' ]

Security experts have been warning that small and midsize businesses are especially vulnerable to these types of ransom demands. Any business that suffers this type of exploit would typically also be legally required to issue data breach notifications to all of their customers or patients, since their records would have been breached.

While numerous data breaches -- including those perpetrated by self-described hacktivist groups -- have involved leaked medical records, ransoming the data is a less well-known occurrence. "It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. "Is this the beginning of a trend which we'll see outside of Oz in 2013?"

This isn't the first such attack against Australian businesses. In September, Queensland police issued a warning that two small businesses had been recently targeted by attackers using ransomware. All of the businesses' customer records were forcibly encrypted by attackers, who then sent ransom notices via email to the affected companies.

Those businesses appeared to have been exploited via drive-by attacks, launched by websites that had been compromised by attackers. "At this stage it appears that infected websites are responsible for the problem. When this is combined with older or insecure Web browsers or poor network security, companies are essentially leaving the door open for these viruses," said detective superintendent Brian Hay in a statement released at the time. He recommended that any businesses affected by such an attack not respond to the ransom emails, but instead contact police for assistance.

In the case of the medical center, paying the attackers' ransom demand may be the only way to recover the data, since forcibly decrypting it may be impossible, said Phair. Then again, paying the ransom might only see the attackers decrypt a fraction of the data, and then require further payments for each additional batch.

Wood, the medical center's co-owner, said one lesson he's learned is to ensure that not all backups are network-connected. "Check your IT security and don't leave backups connected to servers," he said. Arguably, if his facility had put a disaster recovery plan in place that included offsite backups, it would have avoided the situation it's in now.

While the Australian ransom demand targeted a medical facility, there's also been an increase this year in ransom-style attacks targeting consumers. Last week, the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center, reissued a warning about the Raveton malware, which automatically locks an infected PC and issues a fake notice from the FBI demanding users pay a fine to regain access.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:28:47 PM
re: Hackers Hold Australian Medical Records Ransom
Rather than paying the ransom or not working with the hackers, perhaps a better route would be to try to open up a line of communication with the people responsible for the attack and pay them to give up the vulnerability that they used to take over the systemG«Ųa whitehat type of deal. Surely what they did was wrong, but thereG«÷s obviously a flaw that may be replicable in other systems. A small payment to divulge how they carried on the attack would allow patches to be created.

Jay Simmons Information
Week Contributor
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
12/12/2012 | 12:26:52 AM
re: Hackers Hold Australian Medical Records Ransom
lol - your're suggestion is like saying that because polluters dump millions of tons of toxic contaminants into the atmosphere that people should not breathe the air.

Not gonna happen.
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:24:28 PM
re: Hackers Hold Australian Medical Records Ransom
you control the cpu with boolean algebra .. the lowest order of programming. but i think these a hole hackers would use c for modern machines which are full of loopholes that are a hackers wet dream... its just too easy for them is what i am saying.. you have to keep medical data on seperate servers offline. tedious as it may be.. at least data is safe
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:18:48 PM
re: Hackers Hold Australian Medical Records Ransom
i'm an engineer i studied assembly language programmming. what i understand is that once you can program at machine language level you can take over the whole machine and no software can help because the software is loaded at a higher level language order. this includes anti viruses. a hacker using machine language can go straight into the cpu and delete or bypass those programs before launching into your computer. i dunno how they do it but i know this is scientifically possible if you know base level programming. i'm talking hex pascal c that sort of thing..
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:14:58 PM
re: Hackers Hold Australian Medical Records Ransom
there is no cyber securtity. medical records should not be kept online ever !!
Vikas Bhatia
50%
50%
Vikas Bhatia,
User Rank: Apprentice
12/11/2012 | 6:44:58 PM
re: Hackers Hold Australian Medical Records Ransom
Unfortunately, this is not an isolated incident and the current trend, globally, is highlighting some distressing facts. The healthcare industry is seen as a laggard in deploying information, or cyber, security controls in spite of the vast amount of personally identifiable and financial information that they process.

Contrary to perception the risk of healthcare records' breaches do not fall under the remit if IT. IT is the enabler of security controls not the group that defines what needs, or in deed should be done to protect the records.

There needs to be a fundamental shift in the thinking from the executive layer down and not the other way.

Healthcare information security is @notjust4squares

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.