HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Organizations Targeted with New Ransomware Campaign

Two hospitals have been attacked and had their files encrypted by Philadelphia ransomware. The latest campaign appears to be targeting hospitals in the United States.

Philadelphia ransomware is a form of Stampedo ransomware that was first identified last fall. The new ransomware variant is not particularly sophisticated and a free decryptor does exist (Available from Emisoft); however, a successful attack is likely to prove costly to resolve and has potential to cause considerable disruption. An attack may even warrant HIPAA breach notifications to be sent to patients if ePHI is encrypted.

The ransomware variant has been made available under an affiliate model and amateur attacks are being conducted. Brian Krebs recently found an online video promoting the ransomware variant highlighting its features and its potential for customization. The video claims that Philadelphia ransomware is the most advanced and customizable ransomware variant available.

Any would-be attacker can rent the ransomware by paying a one-off fee of $400 to the authors. After the fee is paid, the ransomware can be customized and used for personal campaigns.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

At least one individual is conducting attacks on healthcare organizations, according to Forcepoint. Its researchers detected a campaign that uses a malicious DOCX file to download the ransomware. In this case, the Word document was not attached to a spam email, instead a malicious link was sent in a spear phishing email. Clicking the link triggers a download of a malicious DOCX file.

If the user opens that file they will be presented with three icons. Clicking any of those icons will launch malicious JavaScript that will download Philadelphia ransomware onto the device. The ransom currently demanded per infected device is 0.3 Bitcoin – approximately $364.

The attacker has used a variety of techniques to improve the chances of the icons being clicked. Spear phishing emails are sent to individuals within a targeted healthcare organization. The Word document contains the health organization’s logo along with the name of a physician at the hospital. The icons in the Word document appear to link to patient information contained in the file.

Forcepoint analyzed the JavaScript and detected a string called hospitalspam. A directory on the C2 also contained a folder with the same name, suggesting the attacker is targeting U.S. hospitals. Two hospitals in the U.S. have already fallen victim to a Philadelphia ransomware attack. Forcepoint reports that one hospital in Oregon and another in Southwestern Washington have been infected. The campaign appears to have started in the third week of March.

The discovery shows malicious actors are actively targeting the healthcare sector and further attacks are likely.

Recovery from a Philadelphia ransomware attack is a fairly straightforward process; however, the rise in popularity of ransomware-as-a-service could see healthcare organizations targeted more heavily over the coming months. Other ransomware variants may not prove so easy to remove.

Hospitals and other healthcare organizations should ensure they have implemented defenses against ransomware attacks, developed a disaster response plan specifically for ransomware attacks and have effective backup policies in place.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.