Unlike the Hollywood hospital shutdown in Feb and the Kentucky shutdown in March which got in by phishing attacks on employees, the two hospitals in Baltimore that were taken offline by ransomware were targeted by server-based attacks that got in through vulnerabilities in public-facing hospital services.
Medstar's Baltimore hospitals were hit with "Samsam" malware, that exploits very old vulnerabilities in server software, meaning that institutions are only vulnerable if they don't have an active IT department that keeps their systems up to date. Unfortunately, this describes many hospitals, and indeed, many have been infected with Samsam, though none so disastrously as Medstar's Baltimore hospitals (yet).
Interestingly, Ars Technica's Sean Gallagher cites unnamed sources as saying that Henderson, Kentucky's Methodist Hospital secretly paid a much higher ransom than the publicly released figure of $17,000.
Of the "couple of dozen targets" that Talos is tracking, Wilson said, a significant number of them are healthcare organizations. This is likely not because the attackers set out to target healthcare specifically, but because of the types of applications used by hospitals and healthcare networks. Wilson believes that the ransomware developer simply scanned for vulnerable servers on the Internet, and most of the ones that were discovered were at healthcare organizations.
"A lot of people in the healthcare industry—they set up websites in a kind of fire and forget fashion," WIlson explained. "They hire an IT guy, they get the billing system set up, hook it up to the website and then they never touch it again. That's the perfect environment for this type of malware to thrive in because it's not maintained. They have no full-time security staff and few if any fulltime administrators. As a result, the software just goes unpatched."
Alex Rice, chief technology officer and co-founder of vulnerability disclosure portal provider HackerOne, told Ars that this particular problem isn't unique at all to healthcare. "The reality is that almost every company that is transitioning into becoming an IT company, and every industry that is transitioning into [using more networked information technology], are really unprepared and ill-equipped to deal with the cyber challenges facing them," Rice explained. "It's just that the stakes in healthcare are so much higher—a disruption at a hospital can be life and death." Part of the problem, Rice noted, is that healthcare organizations and medical device manufacturers don't perform penetration testing or other regular risk assessments of their systems with any regularity.
Two more healthcare networks caught up in outbreak of hospital ransomware
[Sean Gallagher/Ars Technica]