Ontario hospital website may have infected visitors with ransomware, security firm says

The website of an Ontario hospital may have infected the computers of patients and staff with ransomware planted on the site during a hack attack, an internet security company warns.

Norfolk General Hospital one of many hospitals recently hit by cybercriminals

Emily Chung · CBC News · Posted: Mar 24, 2016 9:00 AM EDT | Last Updated: March 24, 2016

Norfolk General Hospital is located in Simcoe, Ont., about 60 kilometres southwest of Hamilton and 70 kilometres south of Waterloo. (Norfolk General Hospital)

The website of an Ontario hospital may have infected the computers of patients and staff with ransomware planted on the site during a hack attack, the internet security company Malwarebytes warns.

Norfolk General Hospital, located in Simcoe, Ont., confirms its website was hacked by cybercriminals, but denies that visitors were ever at risk.

The attack appears to be part of a trend of cybercriminals targeting hospitals, including one on the Ottawa Hospital in March and another in February that hit the Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom to have its systems restored. Three more U.S. hospitals were reportedly hit recently.

Jérôme Segura, a senior security researcher with Malwarebytes, reported in a blog post this week that in late February, Norfolk General Hospital's website was observed pushing ransomware called Teslacrypt to computers that visited the website.

Teslacrypt locks your files and makes them inaccessible using encryption, then demands a ransom of $500 US to restore access.

Drive-by download

The file was served in a "drive-by download" attack, Segura said, meaning you don't have to click on anything on the page.

"You just go to the site that's compromised, and within a few seconds, malware is downloaded onto your computer and that's it," he told CBC News.

In this case, visitors to the site would have included patients, their families and staff who accessed a staff portal with schedules and an internal directory via the website.

Security researcher Jerome Segura says hospitals are, in many ways, the 'perfect victim' for cyberattacks: 'Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it.' (Getty Images)

Visiting Windows computers would have been vulnerable if they were running Internet Explorer or older versions of the Adobe Flash or Microsoft Silverlight players.

Segura said hospitals are in many ways the "perfect victim" for cyberattacks. "Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it."

Segura said Malwarebytes detected an attack from the Norfolk General Hospital website via a user of Malwarebytes anti-exploit software. The free software detects and blocks web-based attacks, then sends a report back to Malwarebytes.

The attack caught Segura's eye because he's based in Canada and the attack came from a site with a .ca domain name.

Outdated software

He set up a virtual machine, used it to visit the hospital's website himself, and recorded the attack, confirming that it originated from malware on the website itself.

It appeared that the site was running a very outdated version of the web content management software Joomla. The old software contains a lot of security vulnerabilities that cybercriminals had apparently exploited in order to hide malware in the website's source code.

Security researcher Jerome Segura set up a virtual machine, used it to visit Norfolk General Hospital's website, and recorded the attack, confirming that it originated from malware on the website itself. (Malwarebytes)

Segura contacted the hospital with his findings multiple times, but didn't hear back for two weeks.

During that time, he said, "a lot more people may have visited the site."

He also thinks the site may have been serving malware for some time before Malwarebytes detected it. Simcoe, Ont., has a population of just 14,777, so the chance of a Malwarebytes software user visiting the site is relatively small.

Dennis Saunders, the IT lead and systems administrator for the Norfolk General Hospital, said he didn't get back to Segura initially because Segura's first email sounded like a sales pitch, and his web hosting company, Kwic Internet, thought the second email was a phishing attempt by cybercriminals.

Saunders said the hospital first got a report of ransomware on a hospital computer on Feb. 22, four days before Segura's first attempt to contact the hospital.

Security breach

Saunders asked Kwic Internet to have a look. It confirmed that there had been a "security breach" and replaced some files that appeared to have been compromised, he said.

Saunders requested more details after hearing from Segura, and was told the hospital website had been redirecting visitors to other sites that host malware, but there was nothing on the hospital's website itself.

If they don't update it quickly, it will happen again.– Jérôme Segura, Malwarebytes

Jim Carroll, business developer for Kwik Internet, told CBC News that his company does nothing but host the site.

"It's usually the website developer that would deal with issues of security," he said.

Saunders said the hospital's web software has now been updated by a web developer not affiliated with the hospital or Kwic Internet.

In the end, three hospital computers were infected with ransomware, but the hospital doesn't believe its own website was the source. The infected computers were restored from backups and no ransom was paid.

Saunders added that staff and the public were not notified about the situation because "it was addressed quickly, so there wasn't a concern for staff."

Segura confirmed that as of this week, the hospital site appears to be clean of malware, but both his own research and independent sites such as Sucuri sitecheck confirmed that the website was still using an old and vulnerable version of Joomla. In fact, he said, the Joomla version that the site is running is even older than the previous version, suggesting that the problem had been fixed by rolling the site back to an earlier version.

"If they don't update it quickly, it will happen again," he said, adding that leaving the website in an outdated state is "just very irresponsible."

How to protect yourself

Segura recommends that organizations protect themselves from similar attacks by:

Keeping their website software up to date to minimize security holes that could be exploited.
Minimizing the number of people with administrative privileges, as it's particularly damaging if their account info is stolen.
Using strong passwords.

Meanwhile, users can protect themselves by:

Using an up-to-date browser. Note that most versions of Internet Explorer are no longer even supported by Microsoft.
Uninstalling software you're not using (such as Flash and Silverlight), as it may be used in an attack.
Installing security software such as anti-exploit software that detects and blocks suspicious behaviour from websites.

CBC's Journalistic Standards and Practices|About CBC News

Corrections and clarifications|Submit a news tip|