November 23, 2019

A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.

Milwaukee, Wisc. based Virtual Care Provider Inc. (VCPI) provides IT consulting, Internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. All told, VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities.

At around 1:30 a.m. CT on Nov. 17, unknown attackers launched a ransomware strain known as Ryuk inside VCPI’s networks, encrypting all data the company hosts for its clients and demanding a whopping $14 million ransom in exchange for a digital key needed to unlock access to the files. Ryuk has made a name for itself targeting businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay.

In an interview with KrebsOnSecurity today, VCPI chief executive and owner Karen Christianson said the attack had affected virtually all of their core offerings, including Internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

The care facilities that VCPI serves access their records and other systems outsourced to VCPI by using a Citrix-based virtual private networking (VPN) platform, and Christianson said restoring customer access to this functionality is the company’s top priority right now.

“We have employees asking when we’re going to make payroll,” Christianson said. “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

Christianson said her firm cannot afford to pay the ransom amount being demanded — roughly $14 million worth of Bitcoin — and said some clients will soon be in danger of having to shut their doors if VCPI can’t recover from the attack.

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she said. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

The ongoing incident at VCPI is just the latest in a string of ransomware attacks against healthcare organizations, which typically operate on razor thin profit margins and have comparatively little funds to invest in maintaining and securing their IT systems.

Earlier this week, a 1,300-bed hospital in France was hit by ransomware that knocked its computer systems offline, causing “very long delays in care” and forcing staff to resort to pen and paper.

On Nov. 20, Cape Girardeau, Mo.-based Saint Francis Healthcare System began notifying patients about a ransomware attack that left physicians unable to access medical records prior to Jan. 1.

Tragically, there is evidence to suggest that patient outcomes can suffer even after the dust settles from a ransomware infestation at a healthcare provider. New research indicates hospitals and other care facilities that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among certain patients in the following months or years because of cybersecurity remediation efforts.

Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.

Their findings suggest that after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers concluded that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Companies hit by the Ryuk ransomware all too often are compromised for months or even years before the intruders get around to mapping out the target’s internal networks and compromising key resources and data backup systems. Typically, the initial infection stems from a booby-trapped email attachment that is used to download additional malware — such as Trickbot and Emotet.

This graphic from US-CERT depicts how the Emotet malware is typically used to lay the groundwork for a full-fledged ransomware infestation.

In this case, there is evidence to suggest that VCPI was compromised by one (or both) of these malware strains on multiple occasions over the past year. Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security, showed KrebsOnSecurity information obtained from monitoring dark web communications which suggested the initial intrusion may have begun as far back as September 2018.

Holden said the attack was preventable up until the very end when the ransomware was deployed, and that this attack once again shows that even after the initial Trickbot or Emotet infection, companies can still prevent a ransomware attack. That is, of course, assuming they’re in the habit of regularly looking for signs of an intrusion.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.”

VCPI’s CEO said her organization plans to publicly document everything that has happened so far when (and if) this attack is brought under control, but for now the company is fully focused on rebuilding systems and restoring operations, and on keeping clients informed at every step of the way.

“We’re going to make it part of our strategy to share everything we’re going through,” Christianson said, adding that when the company initially tried several efforts to sidestep the intruders their phone systems came under concerted assault. “But we’re still under attack, and as soon as we can open, we’re going to document everything.”


95 thoughts on “110 Nursing Homes Cut Off from Health Records in Ransomware Attack

  1. Sean

    Just based of the size of this organization, to mitigate risk and increase efficiency would be to:

    #1 to use VDI (Get’s rid of PC refreshing and maintenance).

    #2 Backup/Replicate data to a third party location or co-location. To reduce the effectiveness of these types of attacks.

    #3 Implement email defense like Proof Point.

    #4 Have a Hybrid Local/Cloud storage infrastructure. No %100 Cloud.

    1. Chris

      Did you not read the story? They used Citrix like crazy. They also did backups but either backed up infected data or many backups were network-connected and got deleted

      1. Sean

        @Chris I did read the story, do you not read or understand my backup proposal?

        Network backup does not mitigate ransomware, because you will end up backing up infected files.

    2. Jane Smith

      This problem is directly related to the incompetence of VCPI to fail to effectively protect their clients.

      1. Steve

        Is it? How do you know? This is an arms race were each side takes counter-measures to defeat the other. Given enough reconnaissance virtually any company could be in this position.

    3. Steve

      #1 Audit every PC and ensure that no-one is running as administrator! This is the single most effective step you can take to ensure your systems are protected.

      1. Garlacito

        How is this going to stop the spread of ransomware? That’s good advice, but hardly the #1 preventive control. Malware doesn’t spread because systems are running as administrator. In most recent cases, it spreads via RDP or SMB — either due to inherent flaws or with weak credentials.

  2. vb

    Is there some reason that cloud data hosting companies are not using air-gapped data backups? Haven’t there been enough ransomware outbreaks to warn everyone of the dangers of having all the data, and the data backups too, accessible on the network.

    I understand that the systems and code are going to get compromised if network intruders have months to install malware throughout the network. But the data needs extra protection.

    Any company can get hit with a ransomware attack, there are so many points of infection, and having an air-gapped data backup is a good practice.

  3. Dave Horsfall

    This will continue as long as companies run unprotected Windoze, fail to backup properly, and are utterly unaware of the risks. Unprotected s*x with complete strangers, anyone?

    1. Affected

      This issue is definitely not resolved, nor do we have an ETA for file restoration or access at this time

  4. Sean

    At this point in the game, the nation should adopt a Block chain approach to medical data, that any medical data from any hospital is written/committed to the block chain that way there is no data loss or databases of unsecured medical information waiting to be hacked and inaccessible.

    Each entry is time stamped at the hospital you attend, and any doctor using ANY EMR system can pull up your data from the block chain without the fear of malware or system compromises or storing information in an unsecured cloud.

    1. Steve

      That may be effective to validate that the data hasn’t been tampered with, but ransomware is not after the data. It’s a denial of service attack and I don’t know of anything inherent in block chain that would prevent its encryption and thereby denying access to the data owners.

  5. Robert Rodriguez

    It looks like VCPI was using Citrix but no cloud security such as Z S C A L E R with Silverpeak and Forscout to sever any port that a bad actor may use. Sometimes you need to spend the money on your network. AI an ML come to play in this scenario.

    Very Sad

  6. rich

    I don’t understand how you start an IT consulting company and not have security experts in the company and on retainer since any moron knows how difficult security can be.

    As to air gapped networks, well nothing is 100% air gapped. How do you upgrade them? How do you transfer/backup data to them? Do you burn data to CDs/DVDs and transfer them to the air gapped network?

    If so, once you do the transfer that network isn’t really air gapped anymore since you provided a vector for any malware that got on the CD/DVD/USB/etc. to transfer itself to the air gapped network.

    Things get very difficult very quickly.

    One thing that people should clearly be aware of by now is that pretending to transfer risk/security to a 3rd party company is not very wise since most likely that 3rd party has no clue what they are doing.

    1. Steve

      Tape backup with offsite storage.

      We use staged backup to disk and then to tape. I have to admit that I like to hate on the tapes and tape drives – I may owe it an apology!

      1. Alex

        As someone said, you re backing up ransomware which is just sitting in the filesystem. As soon as you restore the backup ransomware hits again… nothing you can bout it.

  7. Ryan

    I had initially thought that they were an example of what hapoens with no backups. The fact that I find out they had them and they also got breached is even worse than not having them. I feel they are teaching the class of newcomers on what NOT to do. I just hope people are smart enough to run away and dont turn back. They are definitely not who I want in charge of my network. I do my best to support mi e and I am not perfect, but I also am not an IDIOT!

    1. BrianKrebs Post author

      In nearly every story I’ve written about ransomware, the victim had a backup system of some kind. And nearly every story, some readers comment that if they only had backups….

      While there are ways of backing up key data that make it far more difficult for ransomware to fiddle with, the mindset that enables that kind of preparation assumes the target is also doing things like actively and continuously monitoring for intrusions. And those organizations are few and far between. Also, keep in mind that these ransomware purveyors usually don’t pull the trigger until they’ve done what they need to do to escalate their privileges within the target to the point where they can do what the target’s administrators can do, and that includes managing the backup procedures.

      1. rich

        And sadly these companies don’t want to pay for personnel/equipment to do continuously monitoring of data. It can be expensive and time consuming. They are various tools out there, Splunk, Elk, Security Onion that MAY show unusual activity going on. Things such as unusual connectivity, files being transferred, etc.

        A casual glance rarely would catch a good intruder but everyone leaves trails if you look hard enough.

  8. annon

    a lot of assumptions were made in these comments. 1. there were backups in a co-location which were not touched. 2. they cannot just simply just load the backups and go, when an attack happens and there is a breach they have to assume nothing is uncompromised so the process of restoring from the backups they have is slow as they have to ensure each backup is clean before it can go live on the network. 3. they had monitoring software which did detect the attack happening on the 15th, but as the author stated by then they had already gave themselves escalated privledges. .
    source: I work for this company.

    1. Claire

      Thank you for clarifying this. This is a scary news article to find for someone whose company is affected. We HAVE been able to retrieve files from those offsite back-ups, and we are grateful VCPI had them available.

  9. anon

    There are a number of assumptions in these comments I wish to clear up.

    1. there WERE backups off site and also co-located. none of which were infected.

    2. there was monitoring software in place that detected the attack but as the author said they already had escalated privledges in place when they began the attack

    3. the process to restore services is a long one as even though the backups were clean they have to treat them as though they are not and fully test the system to ensure it’s not infected before it is put back into a live environment.

  10. R Cruickshank

    I need to know who the 110 affected nursing homes, etc are, who are the “affected clients” of VCPI.
    i have people in care, and need to know if their facilities are affected.

  11. ASB

    You would think that as long as I’ve been on the internet, I would not be surprised by this sort of thing, but so many of the comments provided do nothing more than expose the utter lack of real world experience of those posting.

    There’s always the inevitable “why connected to the Internet?” or “why run Windows?” or “what about backups?” etc

    That many of these breach situations entail a degree of negligence on the part of the victims cannot be denied. That many organizations merely pay lip service to information security, can also not be denied.

    But many of the Monday Morning Quarterback suggestions posted are as deficient as the situations they are trying to ridicule or scoff at. Distributed computing is not easy stuff, or everyone would be doing it flawlessly.

    Yes, the managed providers have to do much more than they are doing today to make *real* holistic security an intrinsic part of their operations. I looked at the VCPI site relative to the leadership team, and what I found there concerning the ownership of Operational Security gives me some concern that it was neither sufficiently staffed or otherwise resourced. And this is true of many other providers that are otherwise successful.

    There is a much greater focus on functionality and user experience than on operational security. (And often compliance is seen as being equivalent to security, which it is not.)

    But the solution is not so simple that it can be posted in two of three paragraphs by persons with no direct interaction to the organization.

    And, if you think that one MSSP with bad security practices is a problem, just consider what the organizations that use them would be doing on their own.

    Have people been looking at who has been getting breached lately? Organizations big and small — some with resources and some without. Yes, sometimes there is laxity or negligence, but again, the protection of a *real* network is not some simple activity, or we’d all just go to YouTube and look at a 15 min video and address all our issues.

    -ASB

  12. Craig Manske

    I’m a 30 year IT industry veteran in Wisconsin. I’ve had my fingers in nearly everything IT from infrastructure to endpoint. I’m willing to volunteer my spare time if there’s any need.

Comments are closed.