A number of government agencies are assisting in the investigation into a suspected ransomware attack at Kingston Health Sciences Centre, according to the Ministry of Health.
“The Ministry of Health is aware of a potential REvil Ransomware incident at Kingston Health Science Centre. Kingston Health Science Centre is continuing to investigate their systems for signs of REvil ransomware and have brought in a third party to assist with the investigation. No compromised systems have been identified at this time and the investigation remains ongoing,” said Miriam Mohamadi, a spokesperson for the Ministry of Health.
“The Ministry of Health, Ministry of Government and Consumer Services Cyber Security Centre of Excellence, and Ontario Health are monitoring and taking the necessary steps to ensure assets and information are protected.”
The Ontario Provincial Police (OPP) have also been made aware of this issue and are actively investigating, Mohamadi said.
When approached with a number of questions regarding the matter, KHSC did not share many details.
“We have provided the information about the incident at KHSC,” a spokesperson for KHSC said on a phone call in the late afternoon of Friday, Nov. 6, 2020. “We have appropriate protocols in place to safeguard data and ensure ongoing resiliency of our systems.”
For further insight on what REvil Ransomware is and how it works, Kingstonist spoke with David Skillicorn, a Professor at Queen’s University’s School of Computing and Adjunct Professor in the Mathematics and Computer Science department of the Royal Military College. Skillicorn noted that KHSC’s website is up and running again, which poses the question: Did they restore their system while investigating the matter, or do they know what happened?
“Maybe they were just really good at their backups and they got everything back up and running fairly quickly, which is good to see if it’s true,” Skillicorn said.
“Part of the puzzle is: how do they know that they were actually hit unless something was actually taken out.”
Skillicorn described the REvil Ransomware, which is possibly behind the issue, as “particularly nasty,” explaining that it is one of the newer forms of ransomware that not only encrypts an organization’s files, but also tries to find any private information within the system before exfiltrating it and then threatening to make that information public if the organization doesn’t pay the ransom.
“So it’s kind of a double hammer,” he said. “All ransomware asks you to pay some money, but this one uses two different hammers to hit you with: One is ‘If you don’t pay, you don’t get your files back,’ and the other is ‘If you don’t pay, we’ll make public all the embarrassing files that we managed to find.’”
If the cyber-attack on KHSC only hit the public-facing part of their system, then seemingly there would not be any of those embarrassing types of files to worry about, Skillicorn said. He went on to explain that ransomware attacks are escalating.
“Ransomware is one of the few ways that a dumb criminal can make money. So it’s deservedly popular. This is sort of the second wave of ransomware. The first wave quickly discovered that people didn’t want to pay the ransom and mostly didn’t,” he said with a chuckle.
“But this way, with the double hammer effect, they’re trying to get more people to pay the ransom. With straight ransomware, if you have decent backups, then it’s really not a problem, just restore your systems and life goes on. Whereas if they exfiltrate some of your embarrassing moments, then, even if you were prepared for the ransomware, you’re still in a bit of trouble. So they hope it works against more organizations.”
It was this second wave type of ransomware involved in the RMC cyber attack this past summer, Skillicorn said. In that case, the cyber criminals started releasing bits of information regarding travel claims, cheques and “pieces like that to give them extra oomph to their demand for ransom,” he said.
This specific type of ransomware was basically developed by criminals to rent to other criminals – a sort of ransomware-for-hire set up.
“So any criminal group that wants to can kind of front up and pay these guys for access to their tools, and then go away and use the tools against whichever organizations they actually want to,” Skillicorn explained. “So there are two levels of criminals involved here.”
He noted that REvil Ransomware is not the same ransomware that Homeland Security in the US was warning about in mid-October.
When asked if organizations should be focusing on strengthening their security against these kinds of measures, Skillicorn explained the difficulty with that concept.
“The trouble is, the people that are doing phishing are getting really, really good at it, and so it’s not a case of your dumbest employees are the ones who click on this attachment or whatever. It can be made good enough to fool even really sophisticated, knowledgeable people,” he said.
“That means it’s really hard to defend against somebody doing this. So, as usual, there’s an arms race going on between the good guys and the bad guys. But at this point, we have to say the bad guys have an advantage.”
He explained that the criminals invest the time to research the organizations they are targeting. Where ransomware used to send emails to as many addresses associated with the targeted organization as possible, the criminals behind these new ransomware schemes take time to ensure their phishing emails mirror those coming from internal or trusted sources, he said.
“Often they will do enough research to figure out what the name of some C-suite person is and then they’ll send an email to the system staff that is made to look (like it’s) from somebody in that team. And that gives you your way in,” Skillicorn said, noting that hospitals are a particularly favoured target due to the amount of private data they would have in their systems. This is precisely the type of cyber attack that hit the United Kingston National Health Service (NHS) last year, he explained.
“That’s why hospitals make such juicy targets, right? First of all, they can’t stand the interruption of a day or two, and secondly, the data that they have is very, very private and the threat of revealing it gets a lot of attention very quickly.”
Still, given that the KHSC website is back up and running as it was just two days ago, prior to the cyber attack, Skillicorn voiced some optimism regarding the local situation.
“It looks like they dodged a bullet, from what I can see from the outside,” he said.