Ransomware attacks don’t discriminate. They are just as happy targeting those with four legs as those with two.
Anonymous sources told cybersecurity reporter Brian Krebs this week that National Veterinary Associates (NVA) has fallen victim to a ransomware attack that has affected hundreds of hospitals.
NVA describes itself as one of the largest veterinary pet care services organisations in the world. It partners with over 700 general practice veterinary hospitals, spanning general practice clinics, equine hospitals, and pet resorts in a network spanning the US, Canada, Australia, and New Zealand. Founded in 1996 by Dr. Stan Creighton, it began by buying hospitals from retiring veterinarians. It now has 2,600 veterinarians in its network.
Ryuk ransomware
NVA didn’t respond to our requests for comment, but reports said that the company discovered a ransomware attack on Sunday 27 October. The culprit was apparently Ryuk, an especially pernicious form of ransomware first detected by researchers in August 2018.
According to sources quoted by Krebs, the ransomware hit nearly 400 hospitals in the company’s 700-strong network. The infection wasn’t ubiquitous because hospitals have some autonomy in how they run their IT networks, but some were left struggling to provide care after they lost access to their patient information management systems, reports said.
A source also told Krebs that this wasn’t the first Ryuk infection than the company has endured. The company had discussed the first attack more openly, the source said.
Things were different this time, according to Krebs. The company reportedly sent out instructions explaining how members of its network should discuss the incident. A screenshot read:
Use the verbiage “Computer Outage” – Joe would like us to use generic terms.
Ryuk kills over 40 processes and stops more than 180 services on infected computers, including some anti-virus tools. It also writes itself to the Run registry key to maintain persistence. It has been involved in ransomware attacks against organizations including the Chicago Tribune and cloud hosting provider DataResolution.net.
In the UK, the National Cyber Security Centre (NCSC) is investigating Ryuk ransomware campaigns linked to Emotet and Trickbot. The Centre says that Ryuk is a targeted strain of ransomware that allows its owner to set the ransom according to the victim’s perceived ability to pay. It often operates under the radar for a period of time ranging up to months, enabling the attacker to move laterally through the network and infect as many assets as possible.
Krebs’ source expressed concern that NVA may not have completely eradicated the first attack.
How to protect yourself from ransomware
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
For more advice, please check out our END OF RANSOMWARE page.