Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hackers Hold Australian Medical Records Ransom

With no offline backups available, Australian medical center must choose: pay $4,200 ransom or attempt to do business without patient records.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
An Australian medical clinic's patient records have been forcibly encrypted by attackers, who are demanding $4,200 to decrypt the data. The Miami Family Medical Center, located in the Australian state of Queensland, has taken the encrypted drive offline and refused to pay the ransom demand.

Australian news reports have suggested that Russian hackers are behind the ransom demand, but exactly how they cracked the clinic's network remains unclear. "We've got all the antivirus stuff in place -- there's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software," clinic co-owner David Wood told Australia's ABC News.

But keeping the clinic running smoothly has been "very, very, very difficult" since the thousands of patient records are now inaccessible, he said. "What medication you're on can be retrieved from the pharmacists [and] pathology results can be gotten back from pathology," he said.

Information security expert Nigel Phair, who's the director of Australia's Center for Internet Safety, told ABC News that the attacker's low ransom price reflects a high-volume business model, in which hackers will hold as much data for ransom as possible, and set a price that they think the majority of victims will pay.

[ Social engineering is the oldest trick in the book. See Royal Security Fail: 'May I Speak To Kate?' ]

Security experts have been warning that small and midsize businesses are especially vulnerable to these types of ransom demands. Any business that suffers this type of exploit would typically also be legally required to issue data breach notifications to all of their customers or patients, since their records would have been breached.

While numerous data breaches -- including those perpetrated by self-described hacktivist groups -- have involved leaked medical records, ransoming the data is a less well-known occurrence. "It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. "Is this the beginning of a trend which we'll see outside of Oz in 2013?"

This isn't the first such attack against Australian businesses. In September, Queensland police issued a warning that two small businesses had been recently targeted by attackers using ransomware. All of the businesses' customer records were forcibly encrypted by attackers, who then sent ransom notices via email to the affected companies.

Those businesses appeared to have been exploited via drive-by attacks, launched by websites that had been compromised by attackers. "At this stage it appears that infected websites are responsible for the problem. When this is combined with older or insecure Web browsers or poor network security, companies are essentially leaving the door open for these viruses," said detective superintendent Brian Hay in a statement released at the time. He recommended that any businesses affected by such an attack not respond to the ransom emails, but instead contact police for assistance.

In the case of the medical center, paying the attackers' ransom demand may be the only way to recover the data, since forcibly decrypting it may be impossible, said Phair. Then again, paying the ransom might only see the attackers decrypt a fraction of the data, and then require further payments for each additional batch.

Wood, the medical center's co-owner, said one lesson he's learned is to ensure that not all backups are network-connected. "Check your IT security and don't leave backups connected to servers," he said. Arguably, if his facility had put a disaster recovery plan in place that included offsite backups, it would have avoided the situation it's in now.

While the Australian ransom demand targeted a medical facility, there's also been an increase this year in ransom-style attacks targeting consumers. Last week, the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center, reissued a warning about the Raveton malware, which automatically locks an infected PC and issues a fake notice from the FBI demanding users pay a fine to regain access.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:28:47 PM
re: Hackers Hold Australian Medical Records Ransom
Rather than paying the ransom or not working with the hackers, perhaps a better route would be to try to open up a line of communication with the people responsible for the attack and pay them to give up the vulnerability that they used to take over the systemGa whitehat type of deal. Surely what they did was wrong, but thereGs obviously a flaw that may be replicable in other systems. A small payment to divulge how they carried on the attack would allow patches to be created.

Jay Simmons Information
Week Contributor
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
12/12/2012 | 12:26:52 AM
re: Hackers Hold Australian Medical Records Ransom
lol - your're suggestion is like saying that because polluters dump millions of tons of toxic contaminants into the atmosphere that people should not breathe the air.

Not gonna happen.
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:24:28 PM
re: Hackers Hold Australian Medical Records Ransom
you control the cpu with boolean algebra .. the lowest order of programming. but i think these a hole hackers would use c for modern machines which are full of loopholes that are a hackers wet dream... its just too easy for them is what i am saying.. you have to keep medical data on seperate servers offline. tedious as it may be.. at least data is safe
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:18:48 PM
re: Hackers Hold Australian Medical Records Ransom
i'm an engineer i studied assembly language programmming. what i understand is that once you can program at machine language level you can take over the whole machine and no software can help because the software is loaded at a higher level language order. this includes anti viruses. a hacker using machine language can go straight into the cpu and delete or bypass those programs before launching into your computer. i dunno how they do it but i know this is scientifically possible if you know base level programming. i'm talking hex pascal c that sort of thing..
pops54
50%
50%
pops54,
User Rank: Apprentice
12/11/2012 | 11:14:58 PM
re: Hackers Hold Australian Medical Records Ransom
there is no cyber securtity. medical records should not be kept online ever !!
Vikas Bhatia
50%
50%
Vikas Bhatia,
User Rank: Apprentice
12/11/2012 | 6:44:58 PM
re: Hackers Hold Australian Medical Records Ransom
Unfortunately, this is not an isolated incident and the current trend, globally, is highlighting some distressing facts. The healthcare industry is seen as a laggard in deploying information, or cyber, security controls in spite of the vast amount of personally identifiable and financial information that they process.

Contrary to perception the risk of healthcare records' breaches do not fall under the remit if IT. IT is the enabler of security controls not the group that defines what needs, or in deed should be done to protect the records.

There needs to be a fundamental shift in the thinking from the executive layer down and not the other way.

Healthcare information security is @notjust4squares

7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...