Sophos Cloud Optix
Cyber attackers have breached an Australian medical centre’s patient database, encrypted it, and are demanding $4,000 AUD to release thousands of patient records – a sum the medical centre is trying hard not to pay.
The records were collected over seven years and stored on a server at the Miami Family Medical Centre in Queensland.
Law enforcement say that the attack originated in Russia or somewhere in Eastern Europe, but origins of such attacks are notoriously difficult to pinpoint.
The attack was a shock, according to the medical centre’s co-owner David Wood, given what they figured was a pretty good security system, as he told ABC News:
"They managed to get past firewalls. They managed to get past server passwords as well."
"We've got all the antivirus stuff in place. There's no sign of a virus. They literally got in, hijacked the server and then ran their encryption software."
Woods said that a staff member on duty Saturday morning came in to find the server screen locked up, displaying a message saying, basically, that the centre had been hacked.
Instead of paying the ransom, the medical centre is using a contractor to try to decrypt or rebuild the files.
But the IT expert they hired – Jason Fillmore, of Essential I.T. Services – told ABC News the prospects were grim, given the “very sophisticated”, “military-grade” encryption used by the intruders.
Queensland Police said in a statement that they’ve seen 11 similar cases of extortion in Queensland alone over the past year.
Nigel Phair, director of the Centre for Internet Safety and a former investigator with the Australian High-Tech Crime Centre, said that this latest attack is only the most recent in a string of hacking against Australian businesses.
He told ABC News that they’re seeing five to 10 such attacks per week, mostly streaming out of Eastern Europe and looking for “rich targets” or “places with identifying information to extort”.
Such criminals are thereby also devilishly difficult to apprehend. Therefore, it’s unlikely that the attackers will be found or apprehended.
That shouldn’t dissuade people from reporting cybercrime, of course.
As Sophos’s Paul Ducklin said in ABC’s video coverage, even a small chance of catching the crooks is better than none at all:
"The chances are small that these people will be apprehended, but it is not zero. So it is worth reporting cybercrime, because if you don't say anything, then the one thing you can be sure of is that nothing's going to happen."
Ransomware is growing in prevalence, as evidenced by the string of recent attacks Naked Security has covered.
Small medical businesses are anything but immune.
Earlier in December, US backup firm NovaStor reported a similar attack on an unnamed US medical practice around Halloween that encrypted critical data, including x-rays.
As TechWorld points out, the healthcare provider’s saving grace in that incident was offline backup.
Backing up to the cloud or other separate, offline sources have their own security concerns, but at least they’re off the primary, targeted server and can help businesses quickly restore their records.
That, in fact, is exactly the advice that David Wood had to help others escape his health center’s fate.
He told ABC News that other businesses should “check your IT security and don’t leave backups connected to servers”.
Australian money and ransom note original images courtesy of Shutterstock
Why don't medical firms offer to send records backups to the petients, to keep on their home computers?
Wouldn't such a distributed backup system be more secure than a single centralized backup system?
That’s not really a solution either since you are then turning one target, i.e. the medical centers servers into many targets i.e. the computer of every patient that attends the medical center. The security of home computers is usually less than adequate too.
Thanks.
Why don't they just restore the data from the most recent backup?
Any decent IT department should be doing backups on a regular, continual basis.
Hi David,
That’s true. However I suspect the backup may have been tampered with too since from the above article it says “don't leave backups connected to servers”
I hope that this is not what they done.
You are correct they could restore from a backup, if they have one and if it was created recently i.e. so that they don’t lost too much data from the time the backup was created until the present time.
Thanks.
Did Miami Family Medical Centre have any kind of disaster recovery plan? Or at least backups? If they did, the data could potentially be recovered with their systems disconnected from any Internet access while they addressed the security issue. If not, hopefully they will learn from the sad results of that mistake.
Uh… restore your full off-site backups? Am i missing something? Obviously you still have data breach, but total loss of data?
We had a client attacked in the same maner earlier this summer. We found out that a hacker gained access to the server from a client PC that was on the server's domain that got infected with a virus (I am not sure of the virus name at this time). The virus detects that this PC directly connects to a server and looks for clues to the login information to the server. It then reports the clues to the Hacker who then personaly uses that information to try and gain access to the server via remote desktop connection.
The hacker himself made some post on Bleeping Computer about his tactics and goes as far as to taunt those who try to decrypt the files.
The thread is connected tothis link…
http://www.bleepingcomputer.com/forums/topic44939…
How can the criminals get paid without creating a trail?
There are services out there which allow you to wire money to folks, without knowing where they are in the world.
More info on restoration and backup. Appears there was a data backup but not a full server one. http://www.crn.com.au/News/326017,how-a-qld-resel…
One up for that out of fashion tape backup me thinks.