The ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles was the first in a string of such incidents at hospitals. Within months, a strain of ransomware called Locky had crippled the computer systems at Methodist Hospital in Henderson, Ky., and King’s Daughters’ Health in Madison, Ind. Now, however, a new strain of ransomware has emerged, and it’s even more threatening than previous viruses, experts say.
Crysis is more dangerous to organizations than previous strains of ransomware like Locky and TeslaCrypt for three key reasons. First, Crysis targets all files on a computer, except for the ones that allow a user to turn on the machine. Compare that to Locky and TeslaCrypt which targeted specific content files. John Nye, a senior penetration tester with healthcare privacy, security and compliance consulting firm CynergisTek, says these two strains would look for PDFs and Excel and document files. “Before, computers were relatively stable. You could work, you just couldn’t access your data,” Mr. Nye says. “This new one will target everything except for a very small blacklist…It’s just enough to let your computer turn on.”
Second, Crysis can take over administrative control of a computer, meaning it gains the login credentials, which hackers can use to continually manipulate a computer as long as the credentials don’t change.
What’s more, Crysis can exfiltrate data and take control of the data on hackers’ servers. “For healthcare in particular, this changes the whole paradigm of ransomware,” Mr. Nye says, because removing data from a server is a definable data breach.
Previously, security experts debated whether a ransomware attack was considered a data breach since information wasn’t affected, just locked. Technically, no data is exposed. In a Forbes article, healthcare innovation and policy writer Dan Munro wrote ransomware presents a “legal ambiguity” for these exact reasons.
That all changes with Crysis. “If they get [successfully] hit with Crysis, that’s a breach,” Mr. Nye says.
It’s a double whammy for healthcare organizations that are victims of the Crysis virus. Not only do their computers become encrypted and they face potentially paying a ransom, but organizations have to deal with notifying the government and patients and mitigating identity theft concerns since the attack is effectively a data breach.
Crysis was first detected in February, though Mr. Nye says early versions of the virus were not well written — the ransomware had a poor algorithm and was pretty quickly dismissed. But in the following months, developers have strengthened it.
Not only is Crysis now stronger and more threatening than before, but it also is emerging at the same time the developers of TeslaCrypt released the decryption key globally, rendering that ransomware moot. Crysis, in a sense, fills the void left by TeslaCrypt. And even after Crysis, something else is bound to come along.
“That’s how the lifecycle works,” Mr. Nye says. “[Viruses] will stick around until someone comes up with something better.”
While Mr. Nye says there is “no magic bullet” when it comes to cybersecurity, education may be the most effective tool to defend against Crysis and other strains of malware.
“In healthcare, education can be more effective than it is in a lot of other verticals because there already is a huge push for a patient’s safety and patient’s privacy and really taking care of the patients,” Mr. Nye says. “We can focus our training efforts to show them those parallels between what they do everyday to save lives and what they could do additionally to protect their privacy and their organization.
“If you can’t reach those records, you can’t provide care.”