Euro Security Watch with Mathew J. Schwartz

Incident & Breach Response , Next-Generation Technologies & Secure Development , Security Operations

NHS Trust Suffered Trojan - Not Ransomware - Infection

Reminder: Not Every Potential Cyberattack Involves Crypto-Locking Extortionists
NHS Trust Suffered Trojan - Not Ransomware - Infection
Pictured: Royal London Hospital, part of Barts Health NHS Trust. Credit: Matt Brown (Flickr/CC)

News flash: A British healthcare organization that experienced a suspected cyberattack didn't suffer a ransomware infection, as some news outlets first reported, but rather a Trojan malware outbreak. It's a reminder that organizations in the sector continue to be targeted by more than just crypto-locking extortionists.

England's largest health trust, Barts Health NHS Trust, warned Jan. 13 that it was investigating a disruption and that it had taken numerous hard drives offline "as a precautionary measure" as part of its incident response plan (see British NHS Trust Investigates Suspected Cyberattack).

Some initial reports - including one from Britain's Daily Telegraph - were quick to blame ransomware, based on an alleged email that was circulating inside Barts, warning that a ransomware attack was unfolding.

But when I called Barts Jan. 13, a spokeswoman immediately dismissed those reports as "rumors," saying that the investigation was continuing and that no conclusions had yet been reached. Because ransomware is easy to spot - the locked screen with a ransom note and bitcoin address is usually a clue - and because the NHS trust has previously revealed that it has a ransomware response plan in place, it seemed safe odds that ransomware was not, in fact, involved.

Now, the NHS trust has definitively ruled out ransomware, saying that a Trojan was involved. "On [Jan. 13] Barts Health discovered and took immediate steps to contain a virus in the trust's computers," a spokeswoman says in a statement. "The virus has been quarantined, and all major clinical systems are now up and running. No patient data was affected, there was no unauthorized access to medical records and our anti-virus protection has now been updated to prevent any recurrence."

The reference to Trojan malware by the trust could indicate a piece of code that was disguised to look like something else, such as a malicious Excel document attached to a spear-phishing email. But the spokeswoman declined to comment on the particular type of malware or variant that affected Barts and how it initially infected systems. She did say, however, that this particular piece of Trojan malware had not been previously seen in the wild and that while it could have caused extensive damage, the outage had been contained.

Barts Health reports that its electronic health records system, Cerner Millennium, was unaffected, and that "radiology and imaging from X-rays and scans continue to be used." It said that it's restored its computerized pathology results service after having temporarily used a manual backup and that it might take a day or two for the backlog to clear.

Malware Cleanup Takes Time

As that experience highlights, cleaning up from any type of malware infection isn't easy. Indeed, even well-prepared organizations might require several days or more to undertake the manual, laborious process of wiping and re-imaging affected systems.

Faced with the productivity hit of having critical systems offline - and care disrupted - for days, no matter how good their defenses, some healthcare organizations have reportedly been stockpiling bitcoins to give them the option of paying ransoms if it will help them to more rapidly regain access to crypto-locked systems (see Ransomware Extortion: A Question of Time).

Beware Early Reports

The fact that some initial reports on the Barts cyberattack said in no uncertain terms that ransomware was to blame is a reminder to always treat initial, thinly sourced reports with a healthy dose of skepticism.

That doesn't apply just in the healthcare space. Indeed, many types of data breaches and information security incidents have a well-worn playbook in the popular - and media - consciousness. Here are two frequently seen scenarios:

  • Bank hack: Unnamed sources blame state-sponsored Russian hackers, in reprisal for whatever political slight their country most recently suffered.
  • Intellectual property theft: Unnamed sources blame Chinese hackers, bent on amassing intelligence that can be used to more rapidly advance their military-industrial complex or espionage capabilities.

Often, however, initial assumptions are wrong. Such was the case with the 2014 breach of JPMorgan Chase, which a Bloomberg report blamed on a Russian reprisal over Ukraine-related sanctions, based on information provided by government officials speaking on background. In fact, the culprits turned out to be two Israelis living in Florida, plus an American accomplice, who were allegedly involved in a pump-and-dump stock scheme.

Meanwhile, a recent report that Russians had targeted Burlington Electric Department in Vermont also turned out to be nothing more than a plain old malware infection, which the utility spotted and contained, saying that there was never any risk to its power-production facilities.

Likewise, in the case of Barts, no patient data came to harm. Kudos to the trust for having spotted, contained and mitigated the malware outbreak.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.