Ryuk ransomware attack on cloud hosting company affected 110 hospitals
A Ryuk ransomware attack launched by Russian hackers targeting a cloud data hosting company resulted in as many as 110 hospitals being unable to access patient medical records and medication administration data that were stored in the company’s servers.
The Ryuk ransomware attack targeted servers belonging to cloud hosting company Virtual Care Provider Inc. which is based in Mikwaukee, Visconsin on November 17 and as per the company’s own admission, up to 20% of its servers were affected.
Virtual Care Provider Inc. provides cloud data hosting services to as many as 110 nursing homes and acute-care facilities in 45 states across the United States. The hackers who took control of the company’s servers following the ransomware attack demanded $14 million (£10.88 million) in exchange for returning the control over the hijacked servers but the company couldn’t afford to pay that amount.
Russian hackers hijacked all of VCPI’s core services & affected patient care
Karen Christianson, chief executive of Virtual Care Provider Inc. told security researcher Brian Krebs that the ransomware attack “affected virtually all of their core offerings, including Internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees”.
“We have employees asking when we’re going to make payroll. But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first,” she said, adding that the company is working hard to restore all affected servers.
“We take seriously our responsibility to protect the security and privacy of our customers’ data and are working diligently to restore these systems as quickly and safely as possible. Our investigation remains ongoing. We regret any concern this may cause,” said Virtual Care President Zachary Koch in a statement to Milwaukee Journal Sentinel during the weekend.
Alex Holden, the head of security firm Hold Security, told Milwaukee Journal Sentinel that hackers behind the Ryuk ransomware attack on Virtual Care Provider Inc. slowly gained a foothold into the company’s internal systems over the past 14 months by sending phishing emails to employees that contained malicious attachments.
Once employees started clicking on these emails, the hackers started taking over computer systems bit-by-bit, took down antivirus software, and finally gained access to administrative accounts using which they hijacked the entire network.
Ryuk ransomware used extensively against organisations since 2018
Hackers have extensively used the Ryuk ransomware since 2018 to target a number of companies in the United States and the rest of the world. Once of the earliest instances of the ransomware’s deployment was discovered when hackers targeted the Los Angeles Times’ Olympic printing plant in downtown Los Angeles, affecting distributions of newspapers from leading U.S. media organisations such as The Los Angeles Times, The New York Times, the Wall Street Journal, Chicago Tribune, and Baltimore Sun.
“We believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information,” said a source to LA Times who also reported that computer experts at Tribune Publishing believed that the malware attack may have originated outside of the United States.
Sources at Tribune Publishing also told LA Times that the malware attack was possibly a “Ryuk” ransomware attack and that computer files corrupted because of the malware attack contained the extension “.ryk.”.
In March this year, Jackson County in Georgia was forced to pay $400,000 in ransom to cyber criminals after a ransomware attack paralysed computer systems and email servers at all departments of the county, forcing County officials to rely only on phones and radio communication.
Because there was no backup, Jackson County was forced to acceed to the hackers’ demands and had to pay $400,000 in ransom in exchange for decryption keys. Not accepting the hackers’ demands would have led to a huge loss of data and would have cost the county millions to build new networks and to create fresh backups.
After the ransom was paid, Jackson County recovered all the data encrypted by cyber criminals. It was believed that the ransomware used by hackers in the attack was Ryuk, the one which was also used to target the Los Angeles Times’ Olympic printing plant in December.