Darkside of a Ransomware Attack: Its Aftermath
It has been over five months since a ransomware attack hit eHealth Saskatchewan. Since then, officials at eHealth Saskatchewan said they still don’t know what data was stolen, where it was taken, who stole it, and it will take months to restructure their IT infrastructure.
The Ransomware Attack
In January this year, eHealth Saskatchewan announced that it fell victim to a ransomware attack. eHealth Saskatchewan maintains the key electronic health information systems of the Canadian Province of Saskatchewan, including the Electronic Health Record (EHR).
In a ransomware attack, computer files are encrypted denying legitimate users access to these files. In this type of attack, a ransom note is shown on the affected computers, demanding from victims to pay ransom in exchange for decryption keys that may or may not unlock the encrypted files. In the case of the eHealth Saskatchewan ransomware attack, this ransom note was observed by employees in the early morning of January 6 of this year.
In February of this year, eHealth CEO Jim Hornell revealed that the ransomware attacker first entered the eHealth system on December 20, 2019, and employees only discovered this security breach when they were faced with the ransom notification on the affected computer screens. The ransom note demands from eHealth payment in the form of the virtual currency Bitcoin.
The Aftermath
In its February announcement, eHealth said that as part of normal and ongoing forensic analysis of the ransomware attack, it was discovered that files from some of eHealth’s servers had been sent to a number of suspicious IP addresses. eHealth said it’s difficult to determine what data was stolen as the yet unknown attacker encrypted and password protected the stolen files that were sent to a number of suspicious IP addresses. eHealth also emphasized that no ransom has been paid and that all files have been restored through back-ups.
Since the ransom notice first appeared, eHealth said it still doesn’t know what data was stolen and where it was sent. “As we outlined publicly in early February, eHealth discovered some files were sent to IP addresses outside of eHealth’s environment,” Ian Hanna, director of communications for eHealth Saskatchewan in an email told IT World. “Those files were encrypted and password protected by the attacker. This makes it difficult to determine the exact content of those files.”
Hanna also told IT World that there’s no trace of the stolen files being sold on the dark web. The director of communications for eHealth Saskatchewan added, “Longer-term work on re-organizing and restructuring eHealth’s IT architecture will continue for several more months.”
Ransomware and Stealing of Data
The ransomware attack on eHealth Saskatchewan is an example that ransomware attackers don’t merely encrypt files and demand from victims ransom payment in exchange for the decryption keys. To date, there are over a dozen ransomware groups that openly admit that other than data encryption, they also steal data.
This open admission of stealing data comes in two ways. The first one is by naming and shaming ransomware victims who refuse to pay ransom and further threatening these victims that continued refusal to pay ransom will result in the publication of data stolen prior to encryption.
The second form of admission that, indeed, data is stolen prior to encryption in a ransomware attack is the auctioning of stolen data from ransomware victims who refuse to pay ransom. The group behind the ransomware called “REvil” recently created an eBay-like site that auctions stolen data from ransomware victims who refuse to pay ransom.
The auction site offers 3 databases and 22,000 files from a Canadian agricultural production company to the successful bidder. The minimum deposit in bidding for the Canadian agricultural production company’s databases and files is set at USD$5,000 in virtual currency Monero, and the bidding price starts at USD$50,000.
In the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk“, Microsoft Threat Protection Intelligence Team said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”
Even as the stolen data from eHealth Saskatchewan hasn’t shown up on the dark web or open internet for sale or for free distribution, the fact that there’s evidence that data was stolen is worrisome.
Cybersecurity Best Practices in Preventing or Mitigating the Effects of Ransomware Attacks
Even with the added knowledge that ransomware attackers are also stealing data, hardening your organization’s backup system is still one of the best practices in mitigating the effects of ransomware attacks. In having a solid backup, your organization need not succumb to paying the ransom.
In addition to having a solid backup system, now with the public knowledge that ransomware attackers are also stealing data, it’s important to block attackers in the first place from ever entering your organization’s network and drop their malicious software (malware) such as ransomware. One of the best practices in preventing ransomware attacks is by using up-to-date software.
Ransomware attackers can sneak into your organization’s network and drop their ransomware by exploiting known security vulnerabilities in operating systems that no longer receive security updates and even in operating systems that still receive security updates. It’s important, therefore, to use only operating systems that receive security updates and to apply in a timely manner security updates especially those that fix critical vulnerabilities.
We can help you mitigate the risk of ransomware infection today avoiding the consequences of a successful attack. Best of all, our solutions are simple and affordable and can be implemented on your premises or in the cloud by our team of IT and information security experts.
Call us today to schedule a consultation today at (416) 920-3000 or email sales@genx.ca