Attacks/Breaches
12/11/2012
09:36 AM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Hold Australian Medical Records Ransom

With no offline backups available, Australian medical center must choose: pay $4,200 ransom or attempt to do business without patient records.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
An Australian medical clinic's patient records have been forcibly encrypted by attackers, who are demanding $4,200 to decrypt the data. The Miami Family Medical Center, located in the Australian state of Queensland, has taken the encrypted drive offline and refused to pay the ransom demand.

Australian news reports have suggested that Russian hackers are behind the ransom demand, but exactly how they cracked the clinic's network remains unclear. "We've got all the antivirus stuff in place -- there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," clinic co-owner David Wood told Australia's ABC News.

But keeping the clinic running smoothly has been "very, very, very difficult" since the thousands of patient records are now inaccessible, he said. "What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he said.

Information security expert Nigel Phair, who's the director of Australia's Center for Internet Safety, told ABC News that the attacker's low ransom price reflects a high-volume business model, in which hackers will hold as much data for ransom as possible, and set a price that they think the majority of victims will pay.

[ Social engineering is the oldest trick in the book. See Royal Security Fail: 'May I Speak To Kate?' ]

Security experts have been warning that small and midsize businesses are especially vulnerable to these types of ransom demands. Any business that suffers this type of exploit would typically also be legally required to issue data breach notifications to all of their customers or patients, since their records would have been breached.

While numerous data breaches -- including those perpetrated by self-described hacktivist groups -- have involved leaked medical records, ransoming the data is a less well-known occurrence. "It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. "Is this the beginning of a trend which we'll see outside of Oz in 2013?"

This isn't the first such attack against Australian businesses. In September, Queensland police issued a warning that two small businesses had been recently targeted by attackers using ransomware. All of the businesses' customer records were forcibly encrypted by attackers, who then sent ransom notices via email to the affected companies.

Those businesses appeared to have been exploited via drive-by attacks, launched by websites that had been compromised by attackers. "At this stage it appears that infected websites are responsible for the problem. When this is combined with older or insecure Web browsers or poor network security, companies are essentially leaving the door open for these viruses," said detective superintendent Brian Hay in a statement released at the time. He recommended that any businesses affected by such an attack not respond to the ransom emails, but instead contact police for assistance.

In the case of the medical center, paying the attackers' ransom demand may be the only way to recover the data, since forcibly decrypting it may be impossible, said Phair. Then again, paying the ransom might only see the attackers decrypt a fraction of the data, and then require further payments for each additional batch.

Wood, the medical center's co-owner, said one lesson he's learned is to ensure that not all backups are network-connected. "Check your IT security and don't leave backups connected to servers," he said. Arguably, if his facility had put a disaster recovery plan in place that included offsite backups, it would have avoided the situation it's in now.

While the Australian ransom demand targeted a medical facility, there's also been an increase this year in ransom-style attacks targeting consumers. Last week, the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center, reissued a warning about the Raveton malware, which automatically locks an infected PC and issues a fake notice from the FBI demanding users pay a fine to regain access.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:28:47 PM
re: Hackers Hold Australian Medical Records Ransom
Rather than paying the ransom or not working with the hackers, perhaps a better route would be to try to open up a line of communication with the people responsible for the attack and pay them to give up the vulnerability that they used to take over the systemGÇöa whitehat type of deal. Surely what they did was wrong, but thereGÇÖs obviously a flaw that may be replicable in other systems. A small payment to divulge how they carried on the attack would allow patches to be created.

Jay Simmons Information
Week Contributor
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
12/12/2012 | 12:26:52 AM
re: Hackers Hold Australian Medical Records Ransom
lol - your're suggestion is like saying that because polluters dump millions of tons of toxic contaminants into the atmosphere that people should not breathe the air.

Not gonna happen.
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:24:28 PM
re: Hackers Hold Australian Medical Records Ransom
you control the cpu with boolean algebra .. the lowest order of programming. but i think these a hole hackers would use c for modern machines which are full of loopholes that are a hackers wet dream... its just too easy for them is what i am saying.. you have to keep medical data on seperate servers offline. tedious as it may be.. at least data is safe
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:18:48 PM
re: Hackers Hold Australian Medical Records Ransom
i'm an engineer i studied assembly language programmming. what i understand is that once you can program at machine language level you can take over the whole machine and no software can help because the software is loaded at a higher level language order. this includes anti viruses. a hacker using machine language can go straight into the cpu and delete or bypass those programs before launching into your computer. i dunno how they do it but i know this is scientifically possible if you know base level programming. i'm talking hex pascal c that sort of thing..
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:14:58 PM
re: Hackers Hold Australian Medical Records Ransom
there is no cyber securtity. medical records should not be kept online ever !!
Vikas Bhatia
50%
50%
Vikas Bhatia,
User Rank: Apprentice
12/11/2012 | 6:44:58 PM
re: Hackers Hold Australian Medical Records Ransom
Unfortunately, this is not an isolated incident and the current trend, globally, is highlighting some distressing facts. The healthcare industry is seen as a laggard in deploying information, or cyber, security controls in spite of the vast amount of personally identifiable and financial information that they process.

Contrary to perception the risk of healthcare records' breaches do not fall under the remit if IT. IT is the enabler of security controls not the group that defines what needs, or in deed should be done to protect the records.

There needs to be a fundamental shift in the thinking from the executive layer down and not the other way.

Healthcare information security is @notjust4squares

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio