Attacks/Breaches
12/11/2012
09:36 AM
50%
50%

Hackers Hold Australian Medical Records Ransom

With no offline backups available, Australian medical center must choose: pay $4,200 ransom or attempt to do business without patient records.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
An Australian medical clinic's patient records have been forcibly encrypted by attackers, who are demanding $4,200 to decrypt the data. The Miami Family Medical Center, located in the Australian state of Queensland, has taken the encrypted drive offline and refused to pay the ransom demand.

Australian news reports have suggested that Russian hackers are behind the ransom demand, but exactly how they cracked the clinic's network remains unclear. "We've got all the antivirus stuff in place -- there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," clinic co-owner David Wood told Australia's ABC News.

But keeping the clinic running smoothly has been "very, very, very difficult" since the thousands of patient records are now inaccessible, he said. "What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he said.

Information security expert Nigel Phair, who's the director of Australia's Center for Internet Safety, told ABC News that the attacker's low ransom price reflects a high-volume business model, in which hackers will hold as much data for ransom as possible, and set a price that they think the majority of victims will pay.

[ Social engineering is the oldest trick in the book. See Royal Security Fail: 'May I Speak To Kate?' ]

Security experts have been warning that small and midsize businesses are especially vulnerable to these types of ransom demands. Any business that suffers this type of exploit would typically also be legally required to issue data breach notifications to all of their customers or patients, since their records would have been breached.

While numerous data breaches -- including those perpetrated by self-described hacktivist groups -- have involved leaked medical records, ransoming the data is a less well-known occurrence. "It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. "Is this the beginning of a trend which we'll see outside of Oz in 2013?"

This isn't the first such attack against Australian businesses. In September, Queensland police issued a warning that two small businesses had been recently targeted by attackers using ransomware. All of the businesses' customer records were forcibly encrypted by attackers, who then sent ransom notices via email to the affected companies.

Those businesses appeared to have been exploited via drive-by attacks, launched by websites that had been compromised by attackers. "At this stage it appears that infected websites are responsible for the problem. When this is combined with older or insecure Web browsers or poor network security, companies are essentially leaving the door open for these viruses," said detective superintendent Brian Hay in a statement released at the time. He recommended that any businesses affected by such an attack not respond to the ransom emails, but instead contact police for assistance.

In the case of the medical center, paying the attackers' ransom demand may be the only way to recover the data, since forcibly decrypting it may be impossible, said Phair. Then again, paying the ransom might only see the attackers decrypt a fraction of the data, and then require further payments for each additional batch.

Wood, the medical center's co-owner, said one lesson he's learned is to ensure that not all backups are network-connected. "Check your IT security and don't leave backups connected to servers," he said. Arguably, if his facility had put a disaster recovery plan in place that included offsite backups, it would have avoided the situation it's in now.

While the Australian ransom demand targeted a medical facility, there's also been an increase this year in ransom-style attacks targeting consumers. Last week, the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center, reissued a warning about the Raveton malware, which automatically locks an infected PC and issues a fake notice from the FBI demanding users pay a fine to regain access.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Vikas Bhatia
50%
50%
Vikas Bhatia,
User Rank: Apprentice
12/11/2012 | 6:44:58 PM
re: Hackers Hold Australian Medical Records Ransom
Unfortunately, this is not an isolated incident and the current trend, globally, is highlighting some distressing facts. The healthcare industry is seen as a laggard in deploying information, or cyber, security controls in spite of the vast amount of personally identifiable and financial information that they process.

Contrary to perception the risk of healthcare records' breaches do not fall under the remit if IT. IT is the enabler of security controls not the group that defines what needs, or in deed should be done to protect the records.

There needs to be a fundamental shift in the thinking from the executive layer down and not the other way.

Healthcare information security is @notjust4squares

pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:14:58 PM
re: Hackers Hold Australian Medical Records Ransom
there is no cyber securtity. medical records should not be kept online ever !!
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:18:48 PM
re: Hackers Hold Australian Medical Records Ransom
i'm an engineer i studied assembly language programmming. what i understand is that once you can program at machine language level you can take over the whole machine and no software can help because the software is loaded at a higher level language order. this includes anti viruses. a hacker using machine language can go straight into the cpu and delete or bypass those programs before launching into your computer. i dunno how they do it but i know this is scientifically possible if you know base level programming. i'm talking hex pascal c that sort of thing..
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:24:28 PM
re: Hackers Hold Australian Medical Records Ransom
you control the cpu with boolean algebra .. the lowest order of programming. but i think these a hole hackers would use c for modern machines which are full of loopholes that are a hackers wet dream... its just too easy for them is what i am saying.. you have to keep medical data on seperate servers offline. tedious as it may be.. at least data is safe
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
12/12/2012 | 12:26:52 AM
re: Hackers Hold Australian Medical Records Ransom
lol - your're suggestion is like saying that because polluters dump millions of tons of toxic contaminants into the atmosphere that people should not breathe the air.

Not gonna happen.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:28:47 PM
re: Hackers Hold Australian Medical Records Ransom
Rather than paying the ransom or not working with the hackers, perhaps a better route would be to try to open up a line of communication with the people responsible for the attack and pay them to give up the vulnerability that they used to take over the systemGÇöa whitehat type of deal. Surely what they did was wrong, but thereGÇÖs obviously a flaw that may be replicable in other systems. A small payment to divulge how they carried on the attack would allow patches to be created.

Jay Simmons Information
Week Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: good one 
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2001-1594
Published: 2015-08-04
GE Healthcare eNTEGRA P&R has a password of (1) entegra for the entegra user, (2) passme for the super user of the Polestar/Polestar-i Starlink 4 upgrade, (3) 0 for the entegra user of the Codonics printer FTP service, (4) eNTEGRA for the eNTEGRA P&R user account, (5) insite for the WinVNC Login, an...

CVE-2002-2445
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password of (1) root.genie for the root user, (2) "service." for the service user, (3) admin.genie for the admin user, (4) reboot for the reboot user, and (5) shutdown for the shutdwon user, which has unspecified impact and attack vectors.

CVE-2002-2446
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite.genieacq for the insite account that cannot be changed without disabling product functionality for remote InSite support, which has unspecified impact and attack vectors.

CVE-2003-1603
Published: 2015-08-04
GE Healthcare Discovery VH has a default password of (1) interfile for the ftpclient user of the Interfile server or (2) "2" for the LOCAL user of the FTP server for the Codonics printer, which has unspecified impact and attack vectors.

CVE-2004-2777
Published: 2015-08-04
GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin administrator account of the ASACA DVD library, (3) an empty value for the gemsservice account of the Ultrasound Database, and possibly (4) gemnet2002 for the gemnet2002...

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!