Ontario hospital website may have infected visitors with ransomware, security firm says

Thewebsiteof an Ontario hospital may have infected the computers of patients and staff withransomwareplanted on the site during a hack attack, theinternetsecurity companyMalwarebyteswarns.

Norfolk General Hospital, located in Simcoe, Ont.,confirms itswebsitewas hacked bycybercriminals, but denies that visitors were ever at risk.

The attack appears to be part ofa trend ofcybercriminalstargeting hospitals, including one onthe Ottawa Hospitalin March and another in February that hit the Hollywood Presbyterian Medical Center in Los Angeles,which paid a $17,000 ransom to have its systems restored.Three more U.S. hospitalswere reportedly hit recently.

• Ransomware: What you need to know
• Hollywood hospital hit with ransomware only the latest in trend of monetizing cyberattacks

JrmeSegura, a senior security researcher with Malwarebytes, reported in a blog post this weekthat in late February, Norfolk General Hospital'swebsite was observed pushing ransomware called Teslacrypt to computers that visited the website.

Teslacrypt locks your files and makes them inaccessible using encryption, then demands a ransom of $500 US to restore access.

Drive-by download

The file was served in a "drive-by download" attack, Segura said, meaning you don't have to click on anything on the page.

"You just go to the site that's compromised, and within a few seconds, malware is downloaded onto your computer and that's it," he told CBC News.

In this case, visitors to the site would have included patients, their familiesand staffwho accessed a staff portal with schedules and an internal directory via the website.

Visiting Windows computers would have been vulnerable if they were running Internet Explorer or older versions of the Adobe Flash or Microsoft Silverlight players.

Segura saidhospitals arein many waysthe "perfect victim" for cyberattacks. "Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it."

Segura said Malwarebytes detected an attack from the Norfolk General Hospital website via a user of Malwarebytes anti-exploit software. The free software detects and blocks web-based attacks, then sends a report back to Malwarebytes.

The attack caught Segura's eye because he's based in Canada and the attack came from a site with a .ca domain name.

Outdated software

He set up a virtual machine, used it to visit the hospital's website himself, and recorded the attack, confirming that it originated from malware on the website itself.

It appeared that the site was running a very outdated version of the web content management software Joomla. The old software contains a lot of security vulnerabilities that cybercriminals had apparently exploited in order to hide malware in the website's source code.

Segura contacted the hospital with his findings multiple times, but didn't hear back for two weeks.

During that time, he said, "a lot more people may have visited the site."

He also thinks the site may have been serving malware for some time before Malwarebytes detected it.Simcoe, Ont., has a population of just 14,777, so the chance of a Malwarebytes software user visiting the site is relatively small.

Dennis Saunders, the IT lead and systems administrator for the Norfolk General Hospital, said he didn't get back to Segura initially because Segura's first email sounded like a sales pitch, and his web hosting company, Kwic Internet, thought the second email was a phishing attempt by cybercriminals.

Saunders said the hospital first got a report of ransomware on a hospital computer on Feb. 22, four days before Segura's first attempt to contact the hospital.

Security breach

Saunders asked Kwic Internetto have a look. It confirmed that there had been a "security breach" and replaced some files that appeared to have been compromised, he said.

Saunders requested more details after hearing from Segura, and was told the hospital website had been redirecting visitors to other sites that hostmalware, but there wasnothing on the hospital's website itself.

If they don't update it quickly, it will happen again. JrmeSegura, Malwarebytes

Jim Carroll, business developer for Kwik Internet, told CBC News that his company does nothing but host the site.

"It's usually the website developer that would deal with issues of security," he said.

Saunders said the hospital's web software has now been updated by a web developer not affiliated with the hospital or Kwic Internet.

In the end, three hospital computers were infected with ransomware, but thehospital doesn'tbelieve its own website wasthe source. The infected computers were restored from backups and no ransom was paid.

Saunders added that staff and the public were not notified about the situation because "it was addressed quickly, so there wasn't a concern for staff."

Segura confirmed that as of this week, the hospital site appears to be clean of malware, but both his own research and independent sites such as Sucuri sitecheck confirmed that the website was still using an old and vulnerable version of Joomla. In fact, he said,the Joomla version that the site is running is even older than the previous version, suggesting that the problem had been fixed by rolling the site back to an earlier version.

"If they don't update it quickly, it will happen again," he said, adding that leaving the website in an outdated state is "just very irresponsible."

• Ransomware victims pay cybercriminals to save family photos
• New ransomware targets Apple Mac computers for 1st time

How to protect yourself

Segura recommends that organizations protect themselves from similar attacks by:

• Keeping their website software uptodate to minimize security holes that could be exploited.
• Minimizing the number of people with administrative privileges, as it's particularly damaging if their account info is stolen.
• Using strong passwords.

Meanwhile, users can protect themselves by:

• Using an up-to-date browser. Note that most versions of Internet Explorer are no longer even supported by Microsoft.
• Uninstalling software you're not using (such as Flash and Silverlight), as it may be used in an attack.
• Installing security software such as anti-exploit software that detects and blocks suspicious behaviour from websites.