IT organizations, especially those in healthcare facilities and government institutions that handle huge amounts of sensitive personal data and health records need to ensure their systems and software are regularly updated in order to avoid becoming victims of ransomware, according to a security company.
California-based Malwarebytes told Canadian Government Executive that it has identified at least 10 Canadian cities that are favourite targets of ransomware.
Cyber criminals have been exploiting the prevalence of outdated server-side software such as older versions of WordPress and Joomla Website in many Canadian organizations, according to Jerome Segura, a senior security researcher at Malwarebytes.
Segura also said that some three weeks ago, Malwarebytes discovered that the computer system of an Ontario hospital was compromised and made to spread ransomware among its staff, patients and their families who visit the hospital’s Web site. He identified the hospital as the Norfolk General Hospital, in Simcoe, Ontario. NGH is a small 106-bed hospital which has been a teaching facility for the McMaster University’s Faculty of Sciences since 2009.
According to Segura, the hospital’s Web portal is powered by Joomla CMS version 2.5.6 (the latest version is 3.4.8). Several vulnerabilities exist for the outdated version being run by the hospital.
“Many of these older programs do not have the benefit of up-to-date protection, so cyber criminals find it very easy to load their malware,” he said. “Since January this year, Malwarebytes Anti-Malware has detected over tens of thousands of instances of ransomware affecting Canadians.”
He said, “many more” were blocked by Malwarebytes’ Anti-Exploit or Ransomware Beta products.
Ransomware is a type of malware that restricts access to the infected computer system. The malware typically displays on the computer screen of infected machines a demand for the user to pay a ransom to the malware operators to restore access to their data. Some ransomware encrypts files on the system’s hard drive while some may simply lock the system. In many instances, the attackers demand payment in bitcoins.
Based on Malwarebytes’ telemetry, here are the 10 Canadian cities most affected by malware:
- Toronto
- Ottawa
- Montreal
- Markham
- Calgary
- London
- Edmonton
- Winnipeg
- Saint Catharines
“Our honeypots visited the NGH page and got infected with ransomware via the Angler exploit kit,” said the researcher. “A closer look at the packet capture revealed that malicious code leading to the exploit kit was injected directly into the site’s source code itself.”
Like many site hacks, this injection is conditional and will appear only once for a particular IP address, Segura said. For instance, the site administrator who often visits the page will only see a clean version of it while first timers will get served the exploit and malware.
“The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted,” said Segura. “That payment doubles after a week.”
Mark Patton, vice-president of engineering for Malwarebytes, said it appears that the computers of some people who visited the hospital Web site were infected.
“We alerted the hospital officials and warned them about the potential dangers,” he said. “They told us that they are working on upgrading their version of Joomla with their hosting provider.”
Patton said that healthcare facilities are prime targets for ransomware because they are a rich source of sensitive private and financial information.
He said chief information security officers (CISO) need to focus on four key things to keep their systems safe:
- Always keep software updated and patched
- Run the latest versions of browsers
- Backup data regularly and frequently
Patton also adviced CISOs to make sure their IT teams are vigilant in getting rid of unused software. This way, an organization can, at least, reduce the attack surface.
“Many IT infrastructures in hospitals and government offices tend to cling on to older operating systems and software that do not have ample protection anymore,” he said. “In such a situation, the risk of attack is very high. It also raises the question of liability.”
In the event that an attack does occur, he said, the question of negligence on the part of the institution is likely to be raised.
