Norfolk, Ont. hospital hit by ransomware

March 23, 2016

RansomwareSIMCOE, Ont. – The website of the Norfolk General Hospital, in Simcoe, Ont., was recently breached and was potentially distributing ransomware to visitors, according to Malwarebytes, a major provider of internet security software.

“We believe the public website was breached and was serving ransomware,” said Jerome Segura, a Victoria, B.C.-based senior researcher with Malwarebytes.

Alerted to the intrusion by its own monitoring systems, California-based Malwarebytes then analyzed the Norfolk site and found it was using an outdated version of a content management software system called Joomla – which could leave it vulnerable to hackers.

“A lot of organizations do this,” said Segura. “They build a website, then forget about updates and upgrades.”

In an explanation posted by Malwarebytes in a blog, the company wrote:

“Our honeypots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious code leading to the exploit kit was injected directly into the site’s source code itself.

“The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”

For its part, hospital spokesman Gerry Hamill told the Financial Post newspaper that, “The IT team at Norfolk General Hospital, along with our internet provider and web designer, reacted quickly to any website issue that had occurred.” He added that, “NGH is confident that our site is safe for visitors. No patient information was ever at risk.”

Spurred by the Norfolk incident, Malwarebytes began conducting analytics of ransomware attacks in Canada and found the cities most affected are:

  1. Toronto
  2. Ottawa
  3. Montreal
  4. Markham
  5. Calgary
  6. Vancouver
  7. London
  8. Edmonton
  9. Winnipeg
  10. Saint Catharines

According to Malwarebytes, a large number of websites are running outdated server-side software, especially WordPress and Joomla. Along with malvertising, in which online ads are seeded with dangerous code, hacked websites are the largest vehicle for new malware infections.

As Malwarebytes says in its blog, “Common reasons for not updating a website include lack of resources, fear of breaking existing applications or simply forgetting to keep up with security patches.

“The truth of the matter is that any outdated or poorly secured website is simply a sitting duck waiting to be taken over via automated scanners before getting leveraged for spam, phishing or malicious redirections, just to name a few.”

The company provided some useful advice:

  • Back up your files at least once a week and if possible keep those backups on an external media.
  • Prevent infections by using proper security hygiene and multiple layers of defense.

“You have to be proactive,” said Segura. “You can’t wait until you are hit by ransomware, because then it’s game over.”