Payouts From Insurance Policies May Fuel Ransomware Attacks

AP reports: The call came on a Saturday in July delivering grim news: Many of the computer systems serving the government of LaPorte County, Indiana, had been taken hostage with ransomware. The hackers demanded $250,000. No way, thought County Commission President Vidya Kora. But less than a week later, officials in the county southeast of Chicago agreed to pay a $132,000 ransom, partially covered by $100,000 from their insurance provider. Read more on The Yeshiva World.

WY: Gillette hospital targeted in ransomware attack

Seth Klamann reports: Campbell County Health in Gillette was targeted in a ransomware attack Friday, according to an alert the state Department of Health sent to health care providers. The attack occurred early Friday morning, at approximately 3 a.m. The hospital “experienced serious computer issues” due to the attack. This caused a “service disruption” at the facility. Read more on Casper Star-Tribune. Updates on the situation are provided on the county’s web site.  At the time of this posting, there is a notice at the top of the home page saying: Patients presenting to the Emergency department and Walk-in Clinic will be triaged and transferred to an appropriate care facility if needed. No other services are seeing patients at this time. Their most recent update, at 10:30 this morning, states: UPDATE 9/21, 10:30 am The Emergency Department is open and staffed with our expert team of physicians and nursing to assess and evaluate patient care needs. CCH Emergency Medical Services (EMS) has additional ambulances on duty to serve the community. Please call 911 in the event of an emergency. Current Campbell County Memorial Hospital, Behavioral Health, Home Health and Hospice, and The Legacy Living and Rehabilitation Center patients are being safely cared for. We are working with regional facilities to transfer patients who need a higher level of care. The Walk-in Clinic is open Saturday and Sunday from 8 am-6 pm with the last patient taken at 5:30 pm. Our patients are our highest priorities. We understand this is inconvenient and disruptive. As was described today during a conference call with the Wyoming Office of Homeland Security, ransomware is a very sophisticated criminal attack that restricts access to the affected computer system. At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services. There is not ETA or prediction as to when full services will be restored.

Ransomware attack against Ava School District fails, prompts strengthening of network

KY3 in Missouri reports: Ransom notes mysteriously shot out of printers in the Ava School District, demanding money to get information back. The district shut down its network as a precaution. Ava’s Superintendent doesn’t think a Ransomeware attack that hit early Thursday morning got any important data. Read more on KY3. It’s interesting to read how much security they did have in place already, as they seem to be a cut above what might be the more typical situation where data aren’t encrypted and a district may not have off-site backups, etc.

The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once

Renee Dudley of ProPublica reports: On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records. But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator. “The second it happened, they ghosted everybody,” she said. “They didn’t give us a heads up.” A week later, PM sent an email to clients. “Due to the size and scale of the attack, we are not optimistic about the chances for a full or timely recovery,” it wrote. “At this time we must recommend you seek outside technical assistance with the recovery of your data.” On July 22, PM notified clients in an email that it was shutting down, “in part due to this devastating event.” The contact phone number listed on PM’s website is disconnected, and the couple that managed the firm did not respond to messages left on their cellphones. The attack on the dental clinics illustrates a new and worrisome frontier in ransomware — the targeting of managed service providers, or MSPs, to which local governments, medical clinics, and other small- and medium-sized businesses outsource their IT needs. While many MSPs offer reliable support and data storage, others have proven inexperienced or understaffed, unable to defend their own computer systems or help clients salvage files. As a result, cybercriminals profit by infiltrating dozens of businesses or public agencies with a single attack, while the beleaguered MSPs and their incapacitated clients squabble over who should pay the ransom or recovery costs. Cost savings are the chief appeal of MSPs. It’s often cheaper and more convenient for towns and small businesses with limited technical needs to rely on an MSP rather than hire full-time IT employees. But those benefits are sometimes illusory. This year, attacks on MSPs have paralyzed thousands of small businesses and public agencies. Huntress Labs, a Maryland-based cybersecurity and software firm, has worked with about three dozen MSPs struck by ransomware this year, its executives said. In one incident, 4,200 computers were infected by ransomware through a single MSP. Last month, hackers infiltrated MSPs in Texas and Wisconsin. An attack on TSM Consulting Services Inc. of Rockwall, Texas, crippled 22 cities and towns, while one on PerCSoft of West Allis, Wisconsin, deprived 400 dental practices around the country of access to electronic files, the Wisconsin Dental Association said in a letter to members. PerCSoft, which hackers penetrated through its cloud remote management software, said in a letter to victims that it had obtained a key to decrypt the ransomware, indicating that it likely paid a ransom. PerCSoft did not return a message seeking comment. TSM referred questions about the Texas attack to the state’s Department of Information Resources, which referred questions to the FBI, which confirmed that the ransomware struck the towns through TSM. One of the 22 Texas municipalities has been hit by ransomware twice in the past year while using TSM’s services. FBI spokeswoman Melinda Urbina acknowledged that MSPs are profitable targets for hackers. “Those are the targets they’re going after because they know that those individuals would be more apt to pay because they want to get those services back online for the public,” she said. Beyond the individual victims, the MSPs’ shortcomings have a larger consequence. They foster the spread of ransomware, one of the world’s most common cybercrimes. By failing to provide clients with reliable backups or to maintain their own cybersecurity, and in some cases paying ransoms when alternatives are available, they may in effect reward criminals and give them an incentive to strike again. This year, ProPublica has reported on other industries in the ransomware economy, such as data recovery and insurance, which also have enriched ransomware hackers. To get inside MSPs, attackers have capitalized on security lapses such as weak passwords and failure to use two-factor authentication. In Wisconsin and elsewhere, they also have exploited vulnerabilities in “remote monitoring and management” software that the firms use to install computer updates and handle clients’ other IT needs. Even when patches for such vulnerabilities are available, MSPs sometimes haven’t installed them. The remote management tools are like “golden keys to immediately distribute ransomware,” said Huntress CEO Kyle Hanslovan. “Just like how you’d want to push a patch at lightning speed, it turns out you can push out ransomware at lightning speed as well.” Otherwise, the hacker may spread the ransomware manually, infecting computers one at a time using software that normally allows MSP technicians to remotely view and click around on a client’s screen to resolve an IT problem, Hanslovan said. One Huntress client had the “record session” feature of this software automatically enabled. By watching those recordings following the attack, Huntress was able to view exactly how the hacker installed and tracked ransomware on the machines. In some cases, Hanslovan said, MSPs have failed to save and store backup files properly for clients who paid specifically for that service so that systems would be restored in the event of an attack. Instead, the MSPs may have relied on low-cost and insufficient backup solutions, he said. Last month, he said, Huntress worked with an MSP whose clients’ computers and backup files were encrypted in a ransomware attack. The only way to restore the files was to pay the ransom, Hanslovan said. Even when backups are available, MSPs sometimes prefer to pay the ransom. Hackers have leverage in negotiations because the MSP — usually a small business itself — can’t handle the volume of work for dozens of affected clients who simultaneously demand attention, said Chris Bisnett, chief architect at Huntress. “It increases the likelihood that someone will pay rather than just try […]

Wallenpaupack Area School District computers paralyzed in second ransomware attack

Peter Becker reports: The second major cyber attack this calendar year against the computer systems of Wallenpaupack Area School District, led to a shut down of all 3,000 or so computers district-wide. Referred to as a “ransomware” attack in which the perpetrator sends in a virus to lock down the systems and demands money to have them restored, is a problem nationwide, Superintendent Michael Silsby told the school board, September 9. That was Day Four since the systems came down, the previous Thursday. They were still working to slowly restore the compromised servers the day after the school board meeting. Read more on The News Eagle.