In the early morning hours on Tuesday, the hospital system's information technology staff detected an attempt to install malware on part of a computer network and immediately took the affected computer systems offline, according to a hospital spokesperson. A statement from the hospital Tuesday said no personal information was compromised. Hospital officials did not respond to multiple requests for an update on the situation this week.
SUNY Canton cybersecurity professor Minhua Wang believes the quick action by the hospital to contain the virus may have ultimately saved the hospitals from losing control over the system entirely.
"I don't think they got to the final stage, which is the calling card," said Mr. Wang, who is in contact with colleagues at the hospital. "My guess is they detected it early, before everything had been encrypted. If they got a calling card, they should tell everybody the attack was completed, but it's obviously not completed yet."
Now, Mr. Wang assumes, the hospital staff will have to disconnect each computer from the Internet and scan it for signatures of the malware before restoring all of the systems, a process that could take weeks.
The attack was delivered through a ransomware, a type of virus that requires the victim to pay money in exchange for restoring the computer to normal, called Ryuk. While sometimes such viruses can be delivered through phishing, usually a scam email that prompts an administrator to reveal their password, Mr. Wang believes there's evidence the attack on St. Lawrence Health System is part of a larger effort.
"If you have many hospitals simultaneously getting hacked, most likely it's not taking place through phishing, it's probably through some kind of coordinated attack which is based on the knowledge distributed on the black web," Mr. Wang said.
That knowledge is usually in the form of IP — Internet Protocol — addresses already compiled by other means and posted via forums in less trafficked corners of the Internet home to a wide array of clandestine activities.
Mr. Wang's theory has been backed up by federal authorities including the FBI and Cybersecurity and Infrastructure Security Agency, which warned hospitals about similar attacks and released some guidance on how to prevent any intrusions Wednesday. At the same time, other hospitals have publicly reported intrusions. According to the Associated Press, the Sky Lakes Medical Center, a hospital in Oregon, was hacked at nearly the same time as the St. Lawrence Health System. On Friday, NBC News reported University of Vermont Health Network and another health system in Michigan and Wisconsin were also hacked.
Mr. Wang believes the FBI released its advisory guidance sooner than it would've preferred largely to get the attention of other hospitals that could be future victims.
"My understanding is that FBI's advisory content was written actually early this year, that I know of. They are not quite ready yet, until this Tuesday, when the medical centers and hospitals got attacked, so the FBI rushed to release the document," Mr. Wang said, adding he expects more details to be released moving forward.
Ryuk has been on the radar of cybersecurity experts for several years. Though tracing the origins of malware and its users is very difficult, there's a general consensus that Ryuk is linked to cybercriminals based in Russia. Private cybersecurity firm CrowdStrike, which is based out of California, wrote last year that it had medium-high confidence the malware was Russian-linked. The FBI and other federal agencies did not provide any indication that the attacks were related to next week's election.
©2020 Watertown Daily Times, Distributed by Tribune Content Agency, LLC.
