New Ransomware Could Mean New Headaches For MSPs

For the second time in just over a month, a U.S. hospital publicly disclosed this week that its computer network was victimized by a ransomware attack in which files were encrypted and held hostage amid demands the hospital pay the perpetrators for a decryption key.

Methodist Hospital of Henderson, Ky., posted a banner on its website indicating that it was operating under an “internal state of emergency,” after attackers used the “Locky” strain of ransomware to encrypt critical files.

In such attacks, owners of the victim network must either pay the ransom or restore as much of the data as possible using backup and disaster recovery procedures.  

Last month, a California hospital disclosed it paid a ransom of 40 bitcoins – about $17,000 – to regain access to its files following a ransomware attack.

But in a development with important implications for managed services providers and other IT security professionals, researchers at Santa Clara-based Cyphort Labs this week announced the discovery of a new family of ransomware that uses the dark web-friendly Tor network to incapacitate computers, instead of encrypting individual files.

“This new discovery is an advancement of ransom locker malware, as it is using Tor to communicate to its (command and control) servers,” Paul Kimayong wrote in a blog post this week on Cyphort.com. “By using Tor, the attacker adds a layer of anonymity while doing its malicious activity.”

The Tor network relies on an assortment of volunteer-operated servers that provides users enhanced privacy and security, making it ideal for nefarious cyber activity.

Cyphort researchers found the latest ransomware on March 9, upon learning of a porn site that redirected users to an exploit kit where the novel locker was installed via an innovative Trojan downloader-type of malware.

The ransom locker copies itself in start menu folders and executes itself at every startup, the researchers found. From there, it locks the system and prevents a device from booting up, even in safe mode.  

The attack also installs a hidden Tor service that allows the machine to be hijacked for future use in processing bitcoin payments or other malicious activity.

Files containing the infection – key components of which were traced to Russia or Ukraine – proved difficult to find on the victim system and Cyphort researchers uncovered evidence the attackers were actively testing to determine the malware’s vulnerability to detection.

“We also believe that the malware is in its early stages of development and the actors are testing the waters,” Kimayong wrote.

Discovery of the new malware comes at a time of proliferating cyber attacks involving file-encrypting ransom lockers like Cryptolocker, Cryptowall and Locky.

But current ransom lockers can often be mitigated with “rescue discs” that allow for painstaking restoration of system files using backup tools.

In the recent attack on Methodist Hospital, officials halted the spread of the Locky ransomware throughout the network by shutting down the entire system, and bringing computers up one-by-one after scanning each device.

As of today, Methodist’s website no longer displayed the alert indicating an internal emergency.

Hospital officials said they were working with the FBI and at last report decided against bowing to the attacker’s demand to pay four bitcoins – about $1,600 – to unlock the files.

“I think it’s our position that we’re not going to pay it unless we absolutely have to,” attorney David Park told the blog “Krebs on Security.”

Though the attack forced the hospital to resort to an emergency paper system during the network downtime, Park told the blog, the outage did not adversely affect delivery of care.

“They didn’t get any patient information,” he said.

Send tips and news to [email protected].