Toronto hospital recovering from ransomware attack

A Toronto hospital is recovering after being hit last week by a variant of Ryuk ransomware. However, so far it seems the malware was only trying to exfiltrate data instead of demanding money.

Michael Garron Hospital chief executive officer Sarah Downey told CBC News that the hospital’s firewall stopped data from leaving the institution.

UPDATE: On Friday, communications director Shelley Darling said IT experts were able to confirm the malware was Ryuk by examining the malware. There was an email message for communicating with the attackers, she added. but the hospital is not contacting anyone about paying a ransom.

The hospital has over 100 servers and they are still being evaluated for infection, she said. After the attack was discovered two elective surgeries and out-patient clinics had to be rescheduled and staff had to resort to paper documentation. As of Friday morning, all email had been restored. However, some remote VPN access is still off. Certain portals that communicate with other health care data repositories are slowly being restored.  In addition,  what Darling called “minor administrative systems” — such a volunteer database — and “systems that talk to each other” are still offline.

“It’s probably going take us a few weeks to have confidence to say all of our systems are back online,” he said.

The hospital hasn’t estimated yet how much the attack will cost. Some of those costs may be recovered through insurance, Darling said.

The attack started in the early hours of Sept. 25  when what it calls a virus was discovered on one of the IT systems. As a result several systems were closed to prevent the malware, later identified as a Ryuk variant, from spreading.

Patient privacy has not been compromised, the hospital said. However, it is still in what the institution calls a Code Grey, which means IT systems have been impaired.

Darling said the suspicion so far is the attack started with an employee clicking on an infected email or going to an infected website. “In the last several days we’ve been re-educating our staff on cyber security email do’s and don’ts,” she added. There has been regular privacy training, but now “we are looking at putting more formal education in place.”

“While we hope these types of situations never take place, our expert hospital teams prepare for all issues and we have extensive processes in place to respond quickly when experiencing disruptions in clinical services,” Downey said in a statement after the attack was discovered. “We want to reassure our community that all current patients at MGH continue to receive safe, high-quality care from our health care teams.

“Our priority is to restore full computer functionality as quickly as possible and we apologize to the small number of patients whose care has been re-scheduled. I am so grateful to our staff, physicians, leaders and volunteers who have worked exceptionally hard and put in extra hours during this time to ensure safe, quality care to our community.”

Michael Garron Hospital until recently was called Toronto East General Hospital, and is one of the largest in the city. The emergency department alone sees about 80,000 patients a year.

According to a blog earlier this year from security vendor CrowdStrike, Ryuk ransomware began appearing in August 2018. Controlled by a group it dubs Grim Spider, Ryuk has been targeting large enterprises.  CrowdStrike says Ryuk was derived from the Hermes commodity ransomware, which can be bought on dark forums. However, researchers believe Ryuk is only used by the Grim Spider group.

CrowdStrike believes that the initial compromise often comes after a victim clicks on a link or a document in an email that downloads the TrickBot or Emotet trojans. But note that in June the U.K. National Cyber Security Centre published an advisory that pointed out often Ryuk isn’t spotted by victims until after some time following the initial infection, ranging from days to months.

That allows the threat actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems. But, the advisory notes, it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.

In the first four months since Ryuk’s appearance the threat actors operating it netted over 705 Bitcoins across 52 transactions for a total current value of US$3,701,893.98, said CrowdStrike. Payouts have been going up ever since. According to one news report in June alone Florida municipalities hit by Ryuk paid out more than US$1.1 million dollars.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now