The Jewish General Hospital of Montreal and the CIUSSS du Center-Ouest-de-l’Île-de-Montréal had to urgently disconnect their computer networks on Wednesday, after noting a “disturbing intrusion” that targeted medical data.
Computers, servers, internet access and telephone systems had to be taken offline for fear that the intrusion could lead to a major leak of sensitive data. “We are practically an isolated island” from the entire health network, said Dr Lawrence Rosenberg, CEO of the CIUSSS, during a press briefing on Thursday.
The decision caused a slowdown in frontline services, management admits, but the effects would be limited for now. “There may be some service cuts, but it’s really minimal. The screening centers are operating as usual, ”said Francine Dupuis, deputy CEO of the organization.
There was no ransom or ransom demand made, since we cut the problem off at its source.
Francine Dupuis, Deputy CEO of the CIUSSS du Center-Ouest-de-l’Île-de-Montréal
At this point, the CIUSSS cannot “confirm or deny” that the intrusion is linked to a significant wave of ransomware attacks that have hit at least half a dozen US hospitals – mainly in New York and California. – in the last few days. At least three Ontario hospitals have also been targeted by similar attacks. The Washington post claims the hackers operate from Eastern Europe and speak Russian.
A cybersecurity team from the Ministry of Health and Social Services, assisted by police officers from the RCMP and the SQ as well as a technician from the supplier Microsoft, is investigating to determine precisely what happened at the Montreal CIUSSS and restore the systems. The operation may take “a few days”. “We do not know what they will find, or how long it will take for them to find it”, specified Mme Dupuis.
Several targets in Quebec
In recent weeks, several other Quebec organizations have been targeted by similar cyber attacks. This is the case with the Société de transport de Montréal, of which around 1,000 of the 1,600 servers were crippled by ransomware on October 19. The STM said Thursday that a hacker had sent a request for US $ 2.8 million following the attack. The company says no data was stolen, and 77% of servers have since been restored.
The Quebec Provincial Police Association also reported Wednesday that several thousand of its members had been victims of a similar computer theft, in which data – including their names, addresses, dates of birth and possibly certain bank details – had been targeted by ransomware. The data was hosted by the Xpertech Technologies server, a former subcontractor.
Xpertech Technologies admitted Thursday that it had made the payment requested by the hackers. We do not know the amount disbursed.
The Sûreté du Québec, which has observed an increase in this type of attacks in recent weeks, has opened an investigation into this affair.
Threat on the rise
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), working with the FBI and the Department of Health, released a report on Wednesday announcing an upsurge in cyber attacks using ransomware Ryuk against the American health care system. On October 4, the Canadian Cyber Security Center alerted Canadian authorities to the risks of “a global campaign led by ransomware exploiters. Ryuk which could attack other sectors of activity ”.
Since 2019, this ransomware has been used more and more to attack large companies or organizations. Hackers perform a three-phase attack to infiltrate computer networks and encrypt all the data therein. They then demand a large sum from the administrators, in return for which they usually release the data.
“It may be a coincidence, but everything suggests that what is happening in Quebec’s health network is linked to the wave of attacks that we are seeing in the United States,” said Alexis Dorais- Joncas, team leader at ESET, an IT security company, and malware researcher.
“If so, it’s unlikely that the initial compromise happened on Wednesday. Rather, it is the kind of attack where malware spreads across networks over time. Little by little, the pirates are able to gain administrator privileges, ”explains Dorais-Joncas. Malicious software is sophisticated enough to use an infected computer as a “hub” from which it infiltrates other devices, networks and subnets, never being detected.
“This allows hackers to plan when they are going to deploy the software. ”
How does a type attack work Ryuk?
Cyber attacks type Ryuk Usually occur after an organization’s computer network has been compromised by two other malware called Emotet and Trickbot, originally designed to commit financial data theft and password extraction.
The attack attempts to disable or uninstall security software from the victim’s system in order to prevent the victim from blocking the ransomware, the statement said.
Once the attack is underway, the ransomware users deploy other malware to steal the data.
Usually, hard drive data and even backup data is rendered unreadable by encryption that is virtually impossible to break. A file called “RyukReadMe”, which contains an email address for communicating with the perpetrator of the attack on an anonymized server that does not allow discovery of his whereabouts.
It can take several days or even weeks to bring the networks targeted by these attacks back into service. “We see it with what is happening at the STM. More than a thousand of its servers have been attacked by ransomware. Even two weeks after the attack, it is not yet resolved, ”said Alexis Dorais-Joncas, team leader at ESET, a computer security company. In particular, security experts must survey each device and inspect the entire network to ensure that no traces of malware remain.
The Quebec health network, which includes several complex systems designed at different times, would face a “colossal task” if it were to be the victim of this kind of attack, believes Mr. Dorais-Joncas.