– A ransomware infection on DCH Health System forced three of its hospitals to close its doors to new patients the night of the attack, and staff are continuing to recover and operate under downtime procedures.

The DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center were all impacted by the initial attack that began on Tuesday. Officials said attack limited use of the computer systems. Hackers are demanding an “as-yet unknown payment.”

Emergency procedures have been launched to ensure patient care can continue. However, out of concern for patient safety, officials said they closed the three hospitals yesterday to “all but the most critical patients” and were only caring for patients currently admitted to the hospital.

There were no plans to transfer any current patients. Patients were told to call before scheduled appointments, and local ambulances were instructed to bring patients to other area hospitals, if possible.

Patients that arrived at the emergency department would be cared for until they were stabilized but could potentially be transferred to another hospital.

READ MORE: As Ransomware Attacks Increase, DHS Alerts to Cybersecurity Insights

By Wednesday morning, elective procedures and surgical cases already scheduled were being performed as planned, as officials said they were “confident that our downtime procedures will allow us to provide safe an effective care for those patients.”

But patients are still being told to call before scheduled appointments, if they have not already been contacted by DCH. And all new admissions will continue to be diverted to other facilities, outside of critical patients. Officials said the IT staff is working with federal authorities, staff, vendors, and consultants to restore the systems.

The DCH report mirrors the recent ransomware attack on Campbell County Health, in Gillette, Wyoming less than two weeks ago, which disrupted patient care. Patients were being diverted to area hospitals, and some patients were transferred if officials determined CCH was unable to provide adequate care.

CCH is still working to get its systems back online, and as of Wednesday, email and fax services were back online. However, medications, clinic appointments, medical records, and visit history are still unavailable.

Currently, an Australian medical system is also facing downtime after a ransomware attack, according to ABC.

Ransomware Resurgence

READ MORE: Ransomware Attacks Double in 2019, Brute-Force Attempts Increase

This time last year, many security leaders noted that ransomware was in decline, especially in the healthcare sector. Ransomware hackers were being indicted and fewer hospitals were reporting attacks.

But these near-weekly reports of cities, hospitals, and other organizations facing service disruptions highlight a rise in “disruptionware.”

The Institute for Critical Infrastructure Technology recently reported there’s been an alarming trend of this type of ransomware, where hackers are moving to disrupt business and continuity by introducing malware designed to halt operations, damage reputations, extort money, or other malicious goals.

“Disruptionware is an emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity, and confidentiality of the systems, networks, and data belonging to the target,” researchers wrote.

“For OT environments, disruptionware is particularly devastating when it sequesters mission-critical systems and legacy systems that lack redundancy,” they added. “Ransomware is currently the most common disruptionware component, with incidents such as the LockerGoga ransomware campaign demonstrating that even unsophisticated malware has the capacity to bring businesses to a halt.”

READ MORE: DHS Shares Best Practice Steps for Ransomware Resilience

Hackers leverage ransomware, wipers, bricking capabilities, automated components, data exfiltration tools, and network reconnaissance tools to break into targeted networks. But researchers explained that these attacks are not sophisticated and have a high rate of successful compromise.

The most vulnerable organizations are those that depend on remote access over manual maintenance, network expansion and drift, unsecured industrial internet of things sensors and devices, vulnerable third- and fourth-party networks. Operational technology is most targeted, however, healthcare shares many of these same vulnerabilities.

ICIT predicted that 2019 will be remembered as the year of disruptionware, while others have “more narrowly categorized the emerging threat as a permanent denial of service attack.” For example, California’s Wood Ranch Medical was forced to permanently close after a ransomware attack damaged their computer system and made it impossible for the provider to restore patient data.

“Disruptionware has the potential to cause a number of highly impactful risk scenarios to materialize within organizations including that can bring down a business unit or an entire company for hours, days, or weeks,” researchers wrote.

“Organizations with extensive OT networks must act immediately to secure their combined IT and OT networks against the emerging ransomware threat before a single incident metastasizes into a global epidemic,” they added.

As of September, McAfee found that ransomware attacks have doubled in 2018, with hackers ramping up brute-force attacks on RDP and SMB.

On Tuesday, Emsisoft revealed that between the first and third quarters of 2019, 491 healthcare providers were hit with ransomware. Researchers noted there’s been a steady increase in attacks targeting software commonly used by managed service providers and other third-party services providers.

Microsoft noted in March that these attacks have continued to pummel all sectors, while Carbon Black Global Incident Response Threat Report showing that 50 percent of cyberattacks target supply chain. According to Emsisoft, hackers are also demanding larger ransoms: “If one organization is willing to pay to $500,000, the next may be willing to pay $600,000.”

Email and remote desktop protocol continue to be the most targeted vector, especially on unpatched systems, misconfigured security settings, and brute force attacks on weak login credentials.

“There is no reason to believe that attacks will become less frequent in the near future,” Fabian Wosar, CTO at Emsisoft, said in a statement. “Organizations have a very simple choice to make: Prepare now or pay later.”

Source: Ransomware Forces 3 Hospitals into Downtime, as ‘Disruptionware’ Emerges