March 22, 2016

A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

A streaming red banner on warns that a computer virus infection has limited the hospital's use of electronic web-based services.

A streaming red banner on warns that a computer virus infection has limited the hospital’s use of electronic web-based services. Click to enlarge.

Henderson, Ky.-based Methodist Hospital placed a scrolling red alert on its homepage this week, stating that “Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services.  We are currently working to resolve this issue, until then we will have limited access to web based services and electronic communications.”

Jamie Reid, information systems director at the hospital, said malware involved is known as the “Locky” strain of ransomware, a contagion that encrypts all of the important files, documents and images on an infected host, and then deletes the originals. Victims can regain access to their files only by paying the ransom, or by restoring from a backup that is hopefully not on a network which is freely accessible to the compromised computer.

In the case of Methodist Hospital, the ransomware tried to spread from the initial infection to the entire internal network, and succeeded in compromising several other systems, Reid said. That prompted the hospital to shut down all of the hospital’s desktop computers, bringing systems back online one by one only after scanning each for signs of the infection.

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” said David Park, an attorney for the Kentucky healthcare center.

The attackers are demanding a mere four bitcoins in exchange for a key to unlock the encrypted files; that’s a little more than USD $1,600 at today’s exchange rate.

Park said the administration hasn’t ruled out paying the ransom.

“We haven’t yet made decision on that, we’re working through the process,” with the FBI, he said. “I think it’s our position that we’re not going to pay it unless we absolutely have to.”

The attack on Methodist comes just weeks after it was revealed that a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.

Park said the main effect of the infection has been downtime, which forced the hospital to process everything by hand on paper. He declined to say which systems were infected, but said no patient data was impacted.

“We have downtime procedures to going to paper system anyway, so we went to that paper system, he said. “But we don’t feel like it negatively impacted patient care. They didn’t get any patient information ”

Ransomware infections are largely opportunistic attacks that mainly prey on people who browse the Web with outdated Web browsers and/or browser plugins like Java and Adobe Flash and Reader. Most ransomware attacks take advantage of exploit kits, malicious code that when stitched into a hacked site probe visiting browsers for the the presence of these vulnerabilities.

The attack on Methodist Hospital was another form of opportunistic attack that came in via spam email, in messages stating something about invoices and that recipients needed to open an attached (booby-trapped) file.

It’s a fair bet that as ransomware attacks and attackers mature, these schemes will slowly become more targeted. I also worry that these more deliberate attackers will take a bit more time to discern how much the data they’ve encrypted is really worth, and precisely how much the victim might be willing to pay to get it back.

106 thoughts on “Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection

  1. Mike

    Ok, so……

    What I’m hearing in all this is…..

    I must keep my browser and PDF reader up to date so it can better run/process the offending code thereby maintaining a constant state of vulnerability that I must use/maintain/update more software (which is in itself, compromised out-of-the-box) in order to stay safe while online.

    It just seems so much easier and more productive to NOT use software that will process the code.

    1. James

      Wouldn’t it make more sense to find a way to block the malicious attachments at the email gateway?

      Vendors like Proofpoint use a predictive sandboxing technology to prevent end users from even receiving these attachments in the first place…

      FYI Proofpoint also blocked 100% of “Locky” on the very first day it appeared on the scene.

      1. Mike

        You can do that if you want. If it works for you then great.

        I think the bigger questions have to do with why EVERYTHING in existence seems to be required to get moved around through email. Email has ALWAYS been one of the most vulnerable methods for spreading infectious/malicious software and it seems as if people have forgotten that. There is no point in emailing things that are between two cubicles in the same office. It is precisely this attitude about these things that makes individuals such as yourself see Proofpoint as more desirable. If everyone would treat these thing right, all that extra software would not be needed.

        1. Matt

          I disagree on emailing between cubical X. For most end users, emailing a spreadsheet or maintaining a paper trail for auditing, requests, etc is vital. Yes you can have shared files on a server based share structure but compliance in other aspects will always exist.

          1. Mike

            What you describing is actually quite profound. Basically, the problem will not and cannot be fixed. I would really like more people to think about this. All the things that really need to be done cannot be done because of a set of rules that everyone envolved MUST follow. So everyone spends all kinds of time coming up with all kinds of convoluted ways of getting around the problem since no one can fix it. Resulting in a plethora of needless software that everyone gets convinced is needed. That results in the problem getting worse as it grows to the point that it is so uncontrollable that only Apple, Microsoft, and government can even see it anymore……much less actually fix it.

            1. Russell

              Pretty much we just need to get security baked into our culture. We’ve been protecting ourselves from social engineering for generations in the “don’t take candy from strangers” type education; and in this day and age, that needs to get extended to “don’t open attachments or click on links from strangers.” And of course avoiding modern phishing attacks is a little more complicated than that, but a good human firewall is far more effective (and a bad one far more damaging) than any kind of technology or software you could hope to throw at the problem.

              1. Thomas Caldwell

                The problem with all of these is that it always appears to be coming from someone that ISNT a stranger. most users don’t look closely enough at an email, especially the recent breaches that send info out that they think is from a CEO or boss. most of my users that get infected with this crap get it from emails they think is there bank, but after you ask them what they were thinking, most will let you know they don’t even have an account with the bank it came from. Solution? Zombie Apocalypse.

            2. PC Tech

              2 Basic RULES for users/emails:

              1. DO NOT follow the advice they give to enable macros or enable editing to see the content…
              2. The basic rule is NEVER open any attachment to an email, unless you are expecting it…


              1. Mike

                Your going to ME this?

                THE rules are: update, patch, patch, update, update, update, patch, patch, update………….

                and if none of that works, patch and update again!

                At what point do people finally wake up and actually see what’s going on here?

  2. Gideon

    Here in the UK much/most of the NHS uses IE8… political/technical mire of inaction looks likely to continue for the foreseeable future.
    Probably best to take action on a personal basis… USB memory stick is cheap and safe!

    1. Matt

      USB sticks are too easy to replace with malware infested versions. Getting access in the form of physical access via USB is a hacker’s wet dream in most cases. This is why most government installations block the USB ports or shut them down via GPO to prevent this type of breach.

      1. Jeff

        This is correct. It is actually much safer to store files on the cloud, as in most cases they can be rolled back and are much more resilient to encryption attacks because of that. It is in a way another form of backing up your stuff.

        And for the suspicious out there, no cloud storage company has had their servers hacked to where data has gotten out via their servers. Breaches have always been done the easy way – weak passwords. If you know how to create strong passwords, the likelihood of your files getting hacked is low.

    2. Phil

      Most are moving away from IE8 and remember the NHS in UK is split and is very different in the various countries. NHS England is vastly different from NHS Wales and NHS Scotland is still running an older managment model which ironically has lead to slower up take of more vulnerable services e.g. cloud. NHS England in particular is so fragmented that long term that’s the one that’s going to cause the biggest problem for the general public.

      My own area are looking at Browsium ION, but remember unlike many US based hospitals our are behind several layers of protection, IDS/IPS, firewalls, PSN/SWAN, gateway filtering etc etc. I doubt the private hospitals in the UK/US can even come close to it which is why so far the NHS has been relatively unscathed as when it is hit there are plentiful backups and contingencies in place to cope.

  3. IA Eng

    They go through Teamviewer as well. Google
    bleeping computer, Teamviewer.

    Segregate networks, no multi-user accounts, add a $ for all shares. I am sure there are many additional tweeks that can be added as layers of defense. Start by lowering permissions to an absolute minimum. Everyone does not need access to everything. Build the tree of shares with security in mind, not as the train wreck evolves.

    Then these are simply used on a base load. In the wee hours of the morning, a highly caffinated senior IT tech pushes a new load to sections of the organization at a time, and your risk is reduced even further.

    Antivirus can be a burden at this point. It usually finds the infection AFTER it has done its damage, and then, it deletes the infected files and the keys needed for recovery.

    Curiosity within the human being is the perfect avenue of attack. Its been used for many centuries, and the human race still falls for it. Just one more link in the chain that becomes weakened.

  4. Lew

    Sounds like they hit with a malware campaign and had users click on and open an attachment and maybe even enable macros. It could have been corporate email or personal webmail. I think they over reacted by turning off every pc as this would not have stopped it. I think it is more multiple users got the email and clicked on it and encrypted multiple pcs or it was shared network drives that got encrypted and they thought it was spreading like a worm virus. Feel bad for them but sounds like they have loose security practices in place.

  5. Sasparilla

    @Gideon >> USB memory stick is cheap and safe! <<

    Ummmm, depends. If you have an airgapped computer and you only use new USB sticks on it without connecting those USB sticks to other computers connected to the internet, then probably (if it wasn't compromised at the factory, cause most are made in China) it is safe. Because of the USB's high user privilege level in Windows and weak firmware design its a prime target for compromise (believe this is how stuff got onto the non networked Iranian computers if memory serves).

    But if you plug that USB around into other computers (particularly not your own, or say the photo machine at the drugstore etc.) then it should not be considered safe. USB is a great vector to bring malware onto your machine.

    One of the ways to bring malware into a company is to take infected USB drives and sprinkle them in the target company's parking lot. Almost certainly someone will bring one in and plug it into their work machine to see what's on it.

    If you really want to be safe about moving data to other machines (drugstore photo machine) burn a DVD-ROM and toss it afterwards (and disable auto-start on your DVD drive of your home computer so anything you bring in doesn't auto-launch itself). With the disappearance of DVD drives on computers we're gradually being left (because of the design flaws of USB) without secure ways of transferring files in a non networked manner.

  6. adeger

    Gideon – USB memory stick is as much a vector for (other) incoming virii and attacks and is also a method of expropriating personally identifiable or confidential information in an organization. Many organizations do (or should) disable them on workstations as policy.

    IA Eng – Yes, antivirus is increasingly being circumvented but can still catch some infections. Better to pair it with more general “anti-malware” software that uses behavioural heuristics to stop other infections. My understanding is that Malwarebytes blocks the Locky virus (just an example, I’m not associated with Malwarebytes but will probably start using it at home).

    1. Stromboli

      Any mention of Malwarebytes Anti-Malware (a.k.a. MBAM) should, ideally, indicate whether which version is indicated.

      The free version of MBAM does not prevent intrusions. Only the premium (and business) versions of MBAM provides intrusion prevention.

    2. Stromboli

      I (still) use Panda’s USB Vaccine ( to “innoculate” USB flash drives.

      NOTE: Their support for NTFS drives is in “beta.” I have stopped using Panda’s USB vaccine for NTFS drives.

      I sure wish Panda would update the product! Or that I could find a newer, supported product with better function.

  7. Larry

    Jamie Reid, information systems director at the hospital…

    Mr. Reid, no problem. Just restore the latest backup! What? No backup?? He should be fired immediately!!

  8. Anthony

    Travel agency I do some work for got hit by Locky recently. They forwarded me an email, the discussion went:

    “Hi mate, This seems really suss…
    The e-mail [address] for [sender] is also rather suss.
    Any thoughts?”

    I responded:

    “Do not open attachments!
    Do not enable macros!
    Advise if you have ASAP!”

    They replied:

    “We tried to open”

    … I then logged into their file server, found that locky was dutifully beginning to lock all their files, and then rang them back…


    … caught it before it’d gone through too much of the file server, some files lost, but not too many. Drove in, did a partition table wipe and full OS and apps reinstall of every desktop system (thankfully only I have admin access to the server)… took me 16 hours working from 3pm to 7am thanks to the joys of Windows Update needing a patch on fresh Windows 7 SP1 installs to stop it spinning its wheels at 100% CPU core load as much to get them back online.


    1. Stromboli

      Thanks for the cautionary tale. Fascinating.

  9. bizatl

    cool! Some very valid points! I appreciate you penning this write-up and also the rest of the site is extremely good

Comments are closed.