A new strain of ransomware targets healthcare; cyberattack causes disruptions at NHS hospital

Cybersecurity analysts have uncovered a previously undocumented strain of ransomware aimed at the healthcare industry and spread through targeted phishing emails that contain a malicious attachment.

The ransomware virus known as Defray was discovered by researchers at Proofpoint, a global cybersecurity vendor. In a blog post last week, the company said the attack is different than the “spray-and-pray” campaigns that emerged over the last several months. Instead, attackers sent targeted, customized messages to potential victims. The virus is spread through a Microsoft Word attachment.

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

Proofpoint researchers highlighted one instance in which attackers hit a U.K. hospital using an attachment titled “Patient Report” that included the hospital’s logo and indicated it was from the director of information management and technology.

The campaign also includes a unique ransom note asking for $5,000 in bitcoins to return the encrypted files. But the note also urges users to contact the attackers if they have “questions,” “doubts” or "want to negotiate" and includes three email addresses with domains from Switzerland, Germany and Russia.

In a specific message to the IT department, the perpetrators say the ransomware is “custom developed” with no known decrypter.

“It’s written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups,” the note reads.

RELATED: NHS doctors: ‘Undeniably dramatic’ WannaCry attack raises the stakes for healthcare cybersecurity

On Friday, NHS Lanarkshire, a Scotland hospital that was among the dozens of NHS hospitals disrupted by the WannaCry attack in May, reported a malware attack that prompted the hospital’s medical director to warn patients to avoid unnecessary visits to the emergency department while the IT systems were down.  

 

By Saturday, the hospital’s chief executive Calum Campbell said they had “identified the source of the malware” after working overnight to reinstate its systems. He said a “small number” of appointments had been canceled and warned patients they might experience longer wait times as the hospital worked to get systems running normally.

It was not clear whether the attack was related to the Defray malware independently identified by Proofpoint.

“Our staff have worked hard to minimise the impact on patients and our contingency plans have ensured we have been able to continue to deliver services while the IT issues were resolved. A small number of systems have been affected and these are in the process of being fixed,” Campbell said in a statement posted to Facebook.