Locky Ransomware Attacks on Hospitals Increase

According to a new report from security firm FireEye, Locky ransomware attacks on hospitals have surged this month. Criminal gangs that have previously used the Dridex banking Trojan for attacks appear to have switched to Locky and the healthcare sector is being targeted. Hospitals now face an increased risk of experiencing Locky crypto-ransomware attacks.

FireEye discovered a number of “massive” email campaigns were launched this month. Each of those campaigns has been unique. The attackers have used different text for the phishing emails, one-off code for each campaign, different malicious URLs, and unique encoding functions and keys for each campaign.

The Rise of Locky

Locky ransomware was first discovered in early 2016 and has been used in a number of attacks on healthcare organizations. Most notably, the attack on Hollywood Presbyterian Medical Center in February. That attack resulted in a ransom of $17,000 being paid in order to obtain keys to decrypt locked data.

Early Locky campaigns have used JavaScript downloaders to install the crypto-ransomware, with the malicious files delivered via email in a compressed zip format. However, the latest wave of attacks involve a different delivery mechanism. The actors behind the latest wave of attacks have switched to malicious Word macros to deliver Locky – .DOCM Word Open XML Macro-Enabled Document files. Numerous attacks on healthcare organizations have been reported.

According to FireEye, “These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits.”

FireEye is not the only security firm to have reported on the rise in Locky ransomware attacks on hospitals. A number of firms have reported a surge in Locky campaigns in recent months. Proofpoint reported last month that 69% of malicious email attachments were used to install Locky. According to Proofpoint, Locky ransomware attacks increased by 45% between Q1 and Q2 this year. Anti-phishing firm PhishMe reported in June that 93% of all phishing emails are now used to install crypto-ransomware.

The switch to crypto-ransomware from other forms of malware – such as banking Trojans – appears to be simply down to potential profit. Locky is more lucrative than other forms of malware and cybercriminals are able to pull in cash much faster with ransomware.

Preventing Locky Ransomware Attacks

Locky not only encrypt files on the PC that is infected, it is capable of encrypting network drives and portable storage devices. An infection on a single PC can easily spread through the entire network. Locky is also capable of deleting Windows shadow copies, which makes it harder for victims to recover files without paying the attackers to supply a decryption key. Even if viable backup copies of PHI and other sensitive files exist and data can be recovered, ransomware infections can cause widespread disruption and can prove costly to resolve.

Given the increase in Locky ransomware attacks on hospitals, healthcare organizations should be on high alert. End users should be warned of the risk from ransomware and should be informed not to open email attachments from unknown senders. End users should also be warned not to enable macros on files sent via email.  Other tactics that can be employed to reduce the risk from Locky ransomware include:

  • Ensuring macros are disabled on all end points
  • Using Microsoft Office viewers to enable the contents of documents to be viewed without running macros
  • Removing WSF files from all incoming emails
  • Configuring Windows to show file extensions
  • Configuring anti-virus solutions to scan inside compressed files
  • Ensuring backups are performed regularly
  • Disconnecting backup drives after each backup has been performed

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.