Local business finds signs of ransomware
June 22, 2016
A Glenwood Springs medical office is sending out a cautionary note after a recent discovery of possible ransomware on its computer system.
Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR), a full-service allergy clinic, found evidence of ransomware on its computer systems on May 16.
Ransomware is a malicious code that is designed to encrypt files on a computer to make it nearly impossible to access them unless the impacted user pays a recovery fee, according to Jeff Wichman, managing principal consultant of Optiv, a cyber security solutions provider.
For AAIR, it was the first time its computer systems had been breached.
Kari Hershey, an attorney for AAIR, said the disturbance was first noticed when they had trouble accessing a few of the documents.
Because the system holds protected health information, such as test results and Social Security numbers, AAIR immediately shut the server down and contacted a forensic IT company to troubleshoot the problem.
“They weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system,” Hershey said. “The way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.”
Because the ransomware was still in its early stages, there is no evidence that any of the information on the system has been copied or used in any way, although it did pass through a password protected firewall. Hershey said they would expect to know if sensitive information was harvested by this point in the investigation.
“Having said that, there was a breach of the system. Just out of an abundance of caution, we do want people to sign up for an identity theft protection program. That way if they do have a problem they can get help.”
AAIR partnered with ID Experts to offer yearlong complimentary identity protection for patients. The program includes credit monitoring, insurance, medical ID theft protection and access to a service team.
There is no way to know whether this attack was targeted or random, because it depends on the method in which the malicious code was delivered, but Wichman said that ransomware typically does not discriminate.
“It can and will target any system that is vulnerable to the attack. Most cases have been found on Microsoft Windows systems likely because this is what a majority of the population is using,” Wichman said. “Typically, these attacks occur via email delivery where the end user is tricked into opening a malicious file, or through a drive-by download which the user typically has no control of.”
Since the discovery of the ransomware and the system going offline, AAIR has followed the advice of the IT specialists by completely replacing its hard drives instead of attempting to clean them. They also had the entirety of their system rebuilt and backed up from before the attack, reconfigured the firewall, and changed passwords.
The Glenwood Springs Police Department and the Office of Civil Rights in the U.S. Department of Health and Human Services have both been involved in the investigation. Lt. Bill Kimminau said the case is currently closed and inactive because the IP address of the attacker was traced back to Russia, far beyond the department’s jurisdiction.
The remainder of the investigation will likely be handed over the FBI, and the forensic IT company is still doing a full assessment of the system to see if any additional measures need to be put in place.
In its press release, AAIR advised patients to contact their insurance companies immediately if services not received are identified. AAIR also recommended that patients should closely monitor their financial accounts.
Wichman recommends that individuals should always keep a backup of their critical files on a separate system and maintain up-to-date software and antivirus. However, even this will not entirely remove the threat of ransomware infections.
“If your system gets compromised, you should plan on restoring systems from the original installation media or restoring files from an online backup,” Wichman said. “Paying the attackers only fuels them to continue updating their attacks. They invested into ransomware because they are making money from the attacks.”