business hand selecting business icon on old Canada flag background.

Canadian Hospital Serves Ransomware Via Hacked Website

Ransomware attacks have made a lot of headlines in the past year with several high-profile cases, including that of the Hospital in Los Angeles which had its data encrypted and ended up paying the ransom to get it back. Recently, the Ottawa hospital in Canada was also hit but able to contain a ransomware attack.

We discovered the website of another Canadian hospital had been compromised to actually spread ransomware to its visitors: staff, patients and families being the most likely to have visited the site. Norfolk General Hospital, based in Ontario, became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009.

The web portal is powered by the Joomla CMS, running version 2.5.6 (latest version is 3.4.8) according to a manifest file present on their server. Several vulnerabilities exist for this outdated installation, which could explain why the site has been hacked.

Our honeypots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious code leading to the exploit kit was injected directly into the site’s source code itself.

Like many site hacks, this injection is conditional and will appear only once for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware.

Flow

The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.

Insecure web platforms still prevalent

We still see a large number of websites that are running outdated server-side software, namely WordPress and Joomla websites. Along with malvertising, hacked websites are the largest vehicle for new malware infections.

Common reasons for not updating a website include lack of resources, fear of breaking existing applications or simply forgetting to keep up with security patches.The truth of the matter is that any outdated or poorly secured website is simply a sitting duck waiting to be taken over via automated scanners before getting leveraged for spam, phishing or malicious redirections, just to name a few.

We contacted the Norfolk hospital and eventually were able to speak with their IT staff. We shared the information we had (screenshots, network packet capture) and told them about the ransomware payload we collected when we reproduced the attack in our lab. We were told that they were working on upgrading their version of Joomla with their hosting provider.

Ransomware in Canada

This particular attack prompted us to look at the state of ransomware in Canada. Since January of this year, Malwarebytes Anti-Malware has detected over ten thousand instances of ransomware affecting Canadians while many more were already proactively proactively blocked by our Anti-Exploit or Anti-Ransomware Beta products.

Here’s a break down for the top 10 Canadian cities most affected by ransomware according to our telemetry:

  1. Toronto
  2. Ottawa
  3. Montreal
  4. Markham
  5. Calgary
  6. Vancouver
  7. London
  8. Edmonton
  9. Winnipeg
  10. Saint Catharines

It is better to be safe than sorry when it comes to ransomware. Back up your files at least once a week and if possible keep those backups on an external media. Prevent infections by using proper security hygiene and multiple layers of defense.

Unfortunately, just as there are insecure websites, there are even more personal computers that are vulnerable and end up being infected. Because backups are seldom performed, a lot of users will find themselves in difficult situations where they desperately need their data back and feel forced to pay the ransom.

Sadly, those combined factors explain why ransomware is so prevalent and why new families and copycats are emerging all the time. Online criminals are fully tapping into this new haven that is extortionware.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher