Share this article on:
An Allscripts ransomware attack occurred on Thursday January 18, resulting in several of the firm’s applications being taken offline, including its cloud EHR and electronic prescriptions platform. The attack came just a few days after two Indiana hospitals experienced SamSam ransomware attacks.
The Allscripts ransomware attack is also believed to have involved a variant of SamSam ransmware – a ransomware family extensively used in attacks on healthcare providers.
Allscripts is a popular electronic health record (EHR) system and Electronic Prescriptions for Controlled Substances (EPCS) provider, with its platform used by many U.S healthcare organizations, including 2,500 hospitals and 19,000 post-acute care organizations. More than 180,000 physicians, 100,000 electronic prescribing physicians, and 40,000 in-home clinicians use Allscripts.
The Allscripts ransomware attack commenced in the early hours of Thursday morning. Rapid action was taken to remove the ransomware and restore data, with the incident response teams at Microsoft and Cisco called in to assist. An investigation has also been launched by cybersecurity firm Mandiant to determine how the ransomware was installed.
Allscripts’ Pro EHR and EPCS services were most severely affected, although users of other applications also experienced some downtime. The Chicago-based firm is still experiencing issues with its Pro EHR system, although EPCS services were restored on Saturday. Some applications are likely to continue to be adversely affected throughout Monday, while efforts are made to restore the malware-encrypted data.
IT teams have been working round the clock to remove the infection and restore files from backups. Regular backups are performed so data loss is expected to be minimal.
This appears to have been a random ransomware attack. The purpose of the attack appears to have solely been an attempt to extort money from the company. Data theft is not suspected. Allscripts does not believe it was specifically targeted by cybercriminals.
Indiana Hospitals Attacked With SamSam Ransomware Variant
Adams Memorial Hospital in Decatur, IN, has also been attacked with ransomware – The second Indiana hospital to be attacked in the past few days. The ransomware attack occurred on January 11, 2017, and initially caused a slowing of the network before files became inaccessible. File extensions were allegedly renamed as ‘imsorry’.
The ransomware attack caused some disruption to services, with medical histories and appointment schedules rendered inaccessible. However, patients continued to be treated and there was no need to cancel appointments. The Adams Health Network said at no point was patient care or safety affected.
Some parts of the system have been brought back online, although the IT department is still working on restoring the affected servers. It is unclear whether the Adams Health Network paid the ransom demand to regain access to data or if files were recovered from backups.
The attack happened on the same day as the ransomware attack on Greenfield, IN-based Hancock Health. Hancock Health made the decision to pay the 4 Bitcoin ransom. Approximately $50,000 was paid for the keys to unlock the encryption, even though backups existed. The cost of recovering files from backups was seen to be far higher than paying the ransom, due to downtime that would be experienced while that process took place.
Both of the Indiana attacks are believed to have involved a new variant of SamSam ransomware, although this is understood to be a different variant to the one used in the Allscripts ransomware attack.