A Toronto hospital is recovering after being hit last week by a variant of Ryuk ransomware. However, so far it seems the malware was only trying to exfiltrate data instead of demanding money.
Michael Garron Hospital chief executive officer Sarah Downey told CBC News that the hospital’s firewall stopped data from leaving the institution.
UPDATE: On Friday, communications director Shelley Darling said IT experts were able to confirm the malware was Ryuk by examining the malware. There was an email message for communicating with the attackers, she added. but the hospital is not contacting anyone about paying a ransom.
The hospital has over 100 servers and they are still being evaluated for infection, she said. After the attack was discovered two elective surgeries and out-patient clinics had to be rescheduled and staff had to resort to paper documentation. As of Friday morning, all email had been restored. However, some remote VPN access is still off. Certain portals that communicate with other health care data repositories are slowly being restored. In addition, what Darling called “minor administrative systems” — such a volunteer database — and “systems that talk to each other” are still offline.
“It’s probably going take us a few weeks to have confidence to say all of our systems are back online,” he said.
The hospital hasn’t estimated yet how much the attack will cost. Some of those costs may be recovered through insurance, Darling said.
The attack started in the early hours of Sept. 25 when what it calls a virus was discovered on one of the IT systems. As a result several systems were closed to prevent the malware, later identified as a Ryuk variant, from spreading.
Patient privacy has not been compromised, the hospital said. However, it is still in what the institution calls a Code Grey, which means IT systems have been impaired.
Darling said the suspicion so far is the attack started with an employee clicking on an infected email or going to an infected website. “In the last several days we’ve been re-educating our staff on cyber security email do’s and don’ts,” she added. There has been regular privacy training, but now “we are looking at putting more formal education in place.”
“While we hope these types of situations never take place, our expert hospital teams prepare for all issues and we have extensive processes in place to respond quickly when experiencing disruptions in clinical services,” Downey said in a statement after the attack was discovered. “We want to reassure our community that all current patients at MGH continue to receive safe, high-quality care from our health care teams.
“Our priority is to restore full computer functionality as quickly as possible and we apologize to the small number of patients whose care has been re-scheduled. I am so grateful to our staff, physicians, leaders and volunteers who have worked exceptionally hard and put in extra hours during this time to ensure safe, quality care to our community.”
Michael Garron Hospital until recently was called Toronto East General Hospital, and is one of the largest in the city. The emergency department alone sees about 80,000 patients a year.
According to a blog earlier this year from security vendor CrowdStrike, Ryuk ransomware began appearing in August 2018. Controlled by a group it dubs Grim Spider, Ryuk has been targeting large enterprises. CrowdStrike says Ryuk was derived from the Hermes commodity ransomware, which can be bought on dark forums. However, researchers believe Ryuk is only used by the Grim Spider group.
CrowdStrike believes that the initial compromise often comes after a victim clicks on a link or a document in an email that downloads the TrickBot or Emotet trojans. But note that in June the U.K. National Cyber Security Centre published an advisory that pointed out often Ryuk isn’t spotted by victims until after some time following the initial infection, ranging from days to months.
That allows the threat actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems. But, the advisory notes, it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.
In the first four months since Ryuk’s appearance the threat actors operating it netted over 705 Bitcoins across 52 transactions for a total current value of US$3,701,893.98, said CrowdStrike. Payouts have been going up ever since. According to one news report in June alone Florida municipalities hit by Ryuk paid out more than US$1.1 million dollars.