CyberCrimeLegalRegulationSecuritySecurity Management

Locky Ransomware Gains Momentum As Hospital Declares Emergency

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Google + Linkedin Subscribe to our newsletter Write a comment

A hospital in Kentucky has declared a state of emergency after its systems were infected by ransomware

Security researchers Zscaler have warned that a nasty piece of ransomware known as Locky is gaining momentum.

Last month the Locky hit the Hollywood Hospital, which unfortunately paid bitcoins worth $17,000 (£12,010) in order to get the attackers to unlock their systems, and now a Kentucky hospital has declared a ‘Internal State of Emergency’ after an infection.

Zscaler warned that the Locky ransomware family is still going strong and that it has blocked 75 unique and new payloads that was targeting its customers. They warned that the ransomware authors have migrated from infecting Microsoft Word documents to now delivering the malicious content through zip attachment files in spam emails.

Read More: How to avoid ransomware and stay safe

Hospital Emergency

Methodist Hospital in Kentucky has declared an “internal state of emergency” after a ransomware attack. A streaming red banner on its website warns that a computer virus infection has limited the hospital’s use of electronic web-based services, revealed security expert Brian Krebs.

“Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services,” says the banner. “We are currently working to resolve this issue, until then we will have limited access to web based services and electronic communications.”

The attackers are reportedly demanding Bitcoins worth $1,600 in order to unlock the encrypted files, and the hospital has not ruled out paying the ransom.

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” said David Park, an attorney for the Kentucky healthcare centre.

“We haven’t yet made decision on that, we’re working through the process. I think it’s our position that we’re not going to pay it unless we absolutely have to.”

Locky Attachments

The ransomware attack comes after Trend Micro said earlier this month that had been more ransomware-related infections in February this year, compared to the first six months of last year in total. It predicted that 2016 could see the largest number of ransomware attacks on record.

Ransom, gun, laptop, crime © Tatiana Popova, Shutterstock 2014Zscaler said that it has seen a large uptick in Locky payloads getting delivered during the month of March. Once it has successfully infected a machine, Locky will encrypt a number of file types on the victim machine including pictures, videos and program files.

A ransom note then demands payment in return for a private RSA key that is needed to decrypt the user files.

“Locky is the latest addition to one of the most active & lucrative malware strain in past 3 years called Ransomware,” said Zscaler. “This new ransomware family follows the same model of using asymmetric (public key) encryption to lock user documents and demand ransom for the decryption key.

“The delivery vector has been primarily spammed email attachments that are responsible for downloading the Locky payload,” it said. “We also noticed an interesting overlap in the recent campaigns where same URLs were being used to deliver both Dridex & Locky payloads.”

Growing Menace

Ransomware is a growing menace. Last week Dell SecureWorks warned that hackers who previously carried out attacks on behalf of the Chinese Government may now be behind a number of recent incidents involving ransomware.

Even Apple, which has until recently enjoyed a relatively good security reputation, has been targetted by ransomware. Palo Alto Networks found a ransomware campaign, dubbed “KeRanger” hidden in a BitTorrent installer for software called Transmission, which allows Mac users to download videos, music and software via a peer-to-peer network.

Unfotunately it seems that many businesses pay the ransom. Bitdefender found that that 44 percent of ransomware victims in the UK have paid to regain access to their data. The company believes this figure will rise in the coming years, with 39 percent of victims saying it is probable or very probable that they will be attacked again in the future.

It found that victims are willing to pay up to £400 to recover their encrypted data.

Are you a security pro? Try our quiz!