The DCH Ransomware Attack: A Teachable Moment in Cyber-History
An Extensive Ransomware Attack Hit Alabama’s DCH Health System in 2019. Here’s What You Can Learn from It.
With more and more hackers profiting from the Coronavirus crisis to target healthcare providers, now is the time to look to the past and learn from it. Cybercriminals have been targeting medical institutions for some time now, and a perfect example of that is the DCH ransomware incident.
In this article, I will analyze the events DCH ransomware attack, as well as the ways in which Alabama’s healthcare providers tried to grapple with the consequences. Regardless of whether you are in the medical field or not, there is much to be learned from this moment in cyber-history.
Understanding the DCH Ransomware Attack
In the early hours of October 1, 2019, Alabama’s DCH Health System fell victim to an extended ransomware attack which forced it to close all three of its state hospitals. The medical establishments in question were:
- Tuscaloosa’s DCH Regional Medical Center,
- Northport Medical Center,
- and Fayette Medical Center.
Computer systems across all three hospitals were taken out, which prevented staff from accessing vital resources and records. Emergency procedures were implemented soon thereafter to ensure the continuation of day-to-day care for patients that had been hospitalized before the attack. What is more, the respective establishments continued admitting critical patients. However, non-critical cases were denied healthcare for 10 days following the incident.
What is DCH Ransomware?
According to an article published by the Alabama Political Reporter on October 5, 2019, hackers deployed a strain known as Ryuk ransomware into DCH systems. Ryuk is operated by a Russian cybercrime group known as WIZARD SPIDER. The rink is believed to have gained $3.7 million in Bitcoins from 2018 to 2019 alone, outlining a very profitable operation.
Ryuk ransomware operators employ deceitful social engineering techniques, tricking users into opening the emails they send as part of a phishing campaign. These malicious messages contain attachments that deploy malware onto the targeted device when opened.
After the malware is successfully dropped onto the host, Ryuk escalates privileges and injects its code into the device’s processes, halting system tasks. The next step is encryption, followed by ransom demands. For a more in-depth analysis of this particular cyber-threat, check out my colleague Vladimir’s extensive article on Ryuk.
The Aftermath of the DCH Ransomware Attack
The partial disruption of healthcare services for 10 days affected several DCH Health System patients, four of which filed claims in Alabama’s district court against the healthcare provider. As claimed by the lawsuit via Alabama Local News:
Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted. As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment. Defendant breached its obligations to plaintiffs and class members and/or was otherwise negligent and reckless because [of its] failing to properly maintain and safeguard its computer systems and data.
Plaintiff Sheneka Frieson filed the complaint on behalf of a 7-year-old girl who sought medical assistance at Northport Medical Center. She suffered from a severe allergic reaction that swelled her eyes shut. A nurse at Northport allegedly did not consider her case to be an emergency and told Frieson the girl would have to wait 4 to 5 hours for a consultation.
The only two other options that Frieson was left with was to either drive to the city of Birmingham located one hour away, or visit the local Walgreens. As per the lawsuit’s claim, the girl’s swelling took three days to subside due to a lack of proper medical care.
A post-surgical patient at the DCH Regional Medical Center, Geraldine Daniels could not get a prescription for required recovery medication due to the DCH ransomware attack. Her medical files were rendered inaccessible during her stay. She subsequently filed her claim in the Western Division of U.S. District Court for the Northern District of Alabama.
DCH Regional Medical Center patient Kimberly Turner visited the Tuscaloosa hospital a few days before the ransomware attack to have some x-rays done. The incident interrupted her subsequent treatment under the care of an orthopedist.
The fourth litigant, Mary Williams, did not include a reason for her complaint in the text of the lawsuit. However, she did state the DCH ransomware case compromised her medical records and disrupted her medical care.
Did the DCH Health System Pay the Ransom?
To quickly restore systems to a functioning state, the DCH Health System ended up paying the ransom. As per a statement issued by DCH spokesperson Brad Fisher:
We worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interests of our patients and in alignment with our health system’s mission. This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety. For ongoing security reasons, we will be keeping confidential specific details about the investigation and our coordination with the attacker.
The total amount was not disclosed by representatives. However, cybersecurity expert Dr. Matthew Hudnall estimated that between $400,000 and $700,000 had been reimbursed to the ransomware operators in exchange for the decryption key. According to Hudnall, this put other organizations at risk. Giving in to the ransom demands of cybercrime rinks further empowers them to attack, perpetuating the threat.
This is a position Heimdal Security stands behind as well. My advice here is to never pay the ransom under any circumstances. While remediation costs might end up being higher, you have no guarantee you will get a decryption key as DCH Health System did. And even if you do get the promised tools, you will still be responsible for funding cybercriminal activity and allowing ransomware operators to attack even more institutions and companies.
How to Prevent a DCH Ransomware Incident
#1 Cybersecurity Training
Ryuk, the strain responsible for the DCH ransomware attack, infects its victims through phishing emails with malicious macro attachments. Unfortunately, research suggests this approach is still successful. On the authority of Verizon’s Data Breach Investigations Report, 30% of phishing emails get opened by their targets, with 12% of them clicking on the attachments as well.
Therefore, human error remains a notable liability for your organization. It is thus essential for employees to be properly trained in terms of cybersecurity, starting with the topic of social engineering. The most common types of attacks that rely on it are as follows:
- Phishing, which consists of emails feigning the authority of respected third parties.
- Vishing, or voice phishing, usually takes place via phone calls.
- Spear phishing, which is a highly targeted type of phishing attack.
- CEO fraud, which consists of attackers pretending to be a superior or a figure of authority.
- Macro attachments, which deploy malware onto the targeted devices when opened.
Any of these five types of social engineering attacks can occur individually or through a combination of multiples practices. For this reason, cyber-education is vital to the prevention of an attack such as that of DCH ransomware. Knowledgeable employees that know how to recognize when they are being tricked by malware operators are your first line of defense.
#2 Email Security
Regardless of how well-educated your staff is in matters of cybersecurity, slip-ups are always a risk. Attackers outwit everyone in the company in some instances, while in other instances a long day’s fatigue can take its toll. Regardless of the case, it would be unfair to rely solely on the knowledge of your employees to protect your assets.
This is where Heimdal’s MailSentry E-mail Security and MailSentry Fraud Prevention come in. Each MailSentry module is available separately and complements any other existing cybersecurity solutions you have.
Email communications are the first entry point into an
Heimdal™ Email Fraud Prevention
all your incoming and outgoing comunications.
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters to protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise;
These two email security modules combined form a groundbreaking communications protection system that not only filters spam expertly but detects advanced social engineering attempts such as CEO fraud and stops business email compromise in its tracks. For this reason, it is my recommendation to use them together for the full protection of your organization’s online channels.
#3 Access Governance
Ryuk escalates privileges and moves beyond the scope of its target device, encrypting files that are shared over a network as well. Therefore, I recommend minimizing the ransomware’s lateral movement through your systems by implementing a companywide identity and access management (IAM) policy.
At its core, IAM manages authentication and authorization procedures, as well as individual roles within the organization and the level of access they require to certain assets. I suggest taking everything one step further and integrating access governance into your standard IAM policy. The resulting defense strategy is known as identity and access governance, or IAG for short.
Concerning IAM, IAG is the umbrella term that outlines a more holistic approach to access governance. A policy of this sort will allow your organization to closely monitor identities and security rights, as well as ensure that they are correctly attributed to each user.
#4 Endpoint Protection
Advanced network threats such as ransomware constantly elude the efforts of traditional cybersecurity solutions. Signature-based antivirus is no longer efficient against aggressive strains like the one responsible for the DCH ransomware case.
Our core offering of Heimdal™ Threat Prevention protects your organization’s endpoints at the level of the DNS through proprietary DarkLayer Guard™ and VectorN Detection technology. An advanced traffic filtering tool, DLG uses next-gen traffic telemetry to spot ransomware before it attempts to infect your devices. The integrated X-Ploit Resilience patch management software rounds up your defences by closing vulnerabilities in the network as soon as updates are released by third-party developers.
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal™ Threat Prevention
threats before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
#5 Data Backups
Ryuk ransomware removes backups and shadow copies stored on the targeted devices as a way to coerce its victims into paying the ransom. This is what happened in the case of the DCH ransomware attack as well. Therefore, regularly backing up your company or institution’s data in the cloud means that you will have a way to successfully restore crucial information without giving into blackmail.
Cloud backups are an essential part of a successful recovery plan that can help you retrieve encrypted data in case of a ransomware attack. In addition to online copies, it is always a good idea to have an offline storage solution as well. Just like any other online service, the cloud can be susceptible to the nefarious actions of hackers as well.
The DCH ransomware attack should be considered a teachable moment in cyber-history. From human error to giving in to ransom demands and the lawsuits that ensued, Alabama’s healthcare providers made quite a few mistakes in dealing with the incident.
Your main takeaway here should be focusing on prevention rather than remediation. Cybersecurity training for staff coupled with strong policies and solutions, plus relevant data backups here and there are your best bet in this ever-changing digital landscape.