Hospitals and healthcare providers are increasingly falling victim to crypto-ransomware attacks. While attacks over the past few months have not been highly targeted thus far, they have caused a great deal of disruption. And disruptions at hospitals can have a much more dire impact than at most other organizations vulnerable to malware-based extortion.

This past week, that point was brought home again when multiple US hospitals acknowledged that they had been forced to take systems offline in response to crypto-ransomware infestations. And on Wednesday, security researchers at Cisco Talos Research revealed a new strain of crypto-ransomware designed to attack vulnerable servers that appeared to be primarily focused on targets in the healthcare industry.

The latest disruption came on Monday, when Columbia, Maryland based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore.

Prescription for problems

In a Facebook post, a MedStar spokesperson said, "MedStar Health's IT system was affected by a virus that prevents certain users from logging-in to our system. MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation."

Ars contacted MedStar for comment, but a spokesperson declined to provide further information, promising an update on Tuesday afternoon. That update was never provided. But an individual familiar with the situation at MedStar's Union Memorial Hospital confirmed in confidence that some sort of ransomware was involved, declining to be identified because MedStar had not authorized to comment.

March has not been a good month for hospital IT. Last week, staff at Methodist Hospital in Henderson, Kentucky paid a ransom to restore the hospital's systems, reportedly of $17,000—though sources familiar with the episode say the hospital paid much more. And in California, two hospitals operated by Prime Healthcare Management, Inc. were forced to shut down systems. The Prime ransomware attack also caused disruptions of service at several other hospitals and at affiliate care providers as shared systems were taken offline.

The Prime ransomware infection was first discovered on March 18. An individual familiar with Prime's IT systems told Ars that it appeared that the ransomware involved was Locky, which was the same malware that hit Hollywood Presbyterian in February. The Prime disruption also kept some of the company's external service providers from being able to access systems, and it took some of Prime's voice-over-IP phone system offline.

Fred Ortega, a spokesperson for Prime, told Ars that the ransomware infections at Chino Valley Medical Center in Chino, California and Desert Valley Hospital in Victorville were "immediately addressed and contained." He confirmed that the actions taken by Prime's IT staff to contain the malware also caused disruptions at other hospitals

"Our company has not paid any ransom," Ortega told Ars in an e-mail. "Our expert, in-house IT team was able to immediately implement protocols and procedures to contain and mitigate the disruptions. The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised. As of (Thursday, March 24) most systems have been brought online."

New vectors for infection

The Methodist Hospital and Prime Healthcare ransomware attacks came in via "phishing" e-mails. But according to Cisco Talos Research, a number of health providers have been infected recently through Web servers running JBoss.

"This is really one of the first times we've seen ransomware spread by a network vulnerability," Craig Williams of Talos Research told Ars, "which is why when we saw all these JBoss alerts popping up that it caught our attention."

The malware, called "Samsam" by Talos, uses old, very public exploits right out of JexBoss—an open source vulnerability testing tool for JBoss. Once the malware has a foothold on the server, it spreads to Windows machines on the same network. "I wouldn't be surprised if this [malware approach] was extended toward WordPress and other content management systems," Williams said. "This is really just the natural progression of ransomware."

Of the "couple of dozen targets" that Talos is tracking, Williams said, a significant number of them are healthcare organizations. This is likely not because the attackers set out to target healthcare specifically, but because of the types of applications used by hospitals and healthcare networks. Wilson believes that the ransomware developer simply scanned for vulnerable servers on the Internet, and most of the ones that were discovered were at healthcare organizations.

"A lot of people in the healthcare industry—they set up websites in a kind of fire and forget fashion," WIlson explained. "They hire an IT guy, they get the billing system set up, hook it up to the website and then they never touch it again. That's the perfect environment for this type of malware to thrive in because it's not maintained. They have no full-time security staff and few if any fulltime administrators. As a result, the software just goes unpatched."

Alex Rice, chief technology officer and co-founder of vulnerability disclosure portal provider HackerOne, told Ars that this particular problem isn't unique at all to healthcare. "The reality is that almost every company that is transitioning into becoming an IT company, and every industry that is transitioning into [using more networked information technology], are really unprepared and ill-equipped to deal with the cyber challenges facing them," Rice explained. "It's just that the stakes in healthcare are so much higher—a disruption at a hospital can be life and death." Part of the problem, Rice noted, is that healthcare organizations and medical device manufacturers don't perform penetration testing or other regular risk assessments of their systems with any regularity.

Some healthcare companies have set up private disclosure programs with HackerOne, Rice noted, to help them work with trusted security researchers to uncover problems in their software. And new FDA guidelines are pushing medical device manufacturers to patch long-neglected software. But it will require a significant change in approach from the healthcare industry as a whole to deal with the rise of ransomware and other security threats that are focused on denying access rather than stealing patient data.