Industry News

Ransomware forced hospitals to cancel 2,800 operations and shut down systems

Ransomware is a serious enough threat for most organisations, but just imagine if you’re in the business of keeping people healthy and saving lives.

At the end of October, three British hospitals suffered a “major incident”, as a malware attack infected the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG), forcing the almost complete shutdown of IT systems and the cancellation of routine patient operations for several days.

As ZDNet reports, NLAG has now confirmed that the malware that infected their computer systems was a variant of the Globe ransomware, which uses the Blowfish cryptographic algorithm to encrypt victims’ files.

encrypted-files

As if that weren’t bad enough the Globe2 ransomware also deletes your PC’s Shadow Volume Copies. Shadow Volume Copies are backups made of your files by default every day that allow you to roll back in time to recover earlier versions should they be required.

Obviously, that’s a pretty useful safety net to have at your disposal should you be hit by data-encrypting ransomware. But, of course, online criminals are well aware that users are less likely to pay off the ransom if they are able to recover their data in this way.

ransomware-message

Mystery currently surrounds precisely how the hospital trust was hit by ransomware. Speaking to Computing, NLAG NHS Trust’s Pam Clipson debunked theories touted in the media that the malware had entered the organisation via an infected USB stick:

“We can confirm that recent publicly reported information alleging that access was gained through a USB stick or due to remote working have no grounding in fact. We can assure our patients and other stakeholders that we acted swiftly to enhance our existing cyber security but in order to maintain security and support the police investigation, we are unable to share specific information at this time on the exact steps we have taken.”

No doubt the investigation is exploring whether the malware might have entered the organisation via a malicious email or perhaps via a drive-by-download as a user visited a boobytrapped website. I would be surprised if it was eventually determined that the hospital trust was specifically targeted by online extortionists, but stranger things have happened.

Whatever the source of the infection, Clipson emphasised that the Trust’s security team responded quickly to the ransomware attack, cleaning and checking servers:

“The majority of our systems were up and running again within 48 hours. A total of just over 2,800 patient appointments were cancelled as a result of the disruption.”

NLAG says it has worked closely with law enforcement, and the police’s regional cyber crime unit are investigating the incident.

The good news is that it appears that most of the trust’s IT systems were brought back to working operation relatively quickly, and although 2,800 patient operations were cancelled there is no indication that any long term harm has been done.

I’m also pleased to see that NLAG does not appear to have considered the option of giving in to the blackmailer and paying them a ransom for the safe recovery of data.

That’s certainly not been the story when other hospitals have been hit by ransomware in the past. For instance, earlier this year the Hollywood Presbyterian Medical Centre paid some $17,000 worth of Bitcoins to recover its encrypted data after an attack

Whenever a ransom demand is shown to work for the bad guys – meaning whenever victims pay up – all that happens is that criminals are incentivised to launch more ransomware attacks. And that is bad news for all of us.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

  • Sorry, but I find the attitude of NLAG to be very complacent. Apart from the financial costs incurred both by the trust and by patients, there is also the emotional impact of having an operation cancelled. I have just seen the impact on my 91-year old mother.

    It should act as a wake-up call to other trusts and parts of the Critical National Infrastructure.

  • Again, another story of hackers getting what they want and not showing any remorse at all. They will let nothing get in their way of getting what they want and that is the scariest thing. I know security is getting ever better and there are less hacks, but when these hackers get it right and they find a crack in security, they go for it and target the weak spot and will not stop until they get what they want. It is crippling thousands of business' all over, people need to start putting their security higher up on their list of things to do!

  • With all new information circulating out here about Ransomware my questions is this….., why did this hospital have such a difficult time getting back up and running after they got hit? This issue with Ransomware is old news and is now anticipated like any other disruption a business will experience. This hospital should have been prepared for this situation with multiple isolated backup systems that can easily be restored. Clearly they were not prepared and they should have been.

    The reality is….it’s only a matter of time before any of us will be hit with some sort of IT disruption such as Ransomware. Each business needs to put systems in place for a fast recovery as well as train staff to be on the lookout for suspicious emails and online situation. Most of these incidents occur when employees are on their personal emails while at work, a practice that should be disallowed by any employer. I say shame on the hospital for being so unprepared.