New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack

A new variant of the WannaCry ransomware has been detected in a cyber attack on FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health provider.

WannaCry ransomware came to global attention in cybers attacks in May 2017. In excess of 230,000 computers were infected within one day of the worldwide attacks starting. The ransomware variant had wormlike features and was capable of spreading quickly and affecting all vulnerable networked comptuing technology. The hacking campaign was blocked when a kill switch was found and switched on, preventing file encryption.  However, FirstHealth has identified the malware used in its cyber attack and is of the opinion that it is a new WarnnaCry ransomware variant.

The FirstHealth ransomware attack began on October 17, 2017. The ransomware is though to have been introduced via a non-clinical device, although examinations into the first entry point are continuing to determine exactly how the virus was initiaited.

FirstHealth reports that its information system team found the attack immediately and put in place security measures to stop the spread of the malware to other networked devices. While the cyber attack was discovered speedily, the ransomware did infect other devices in the same work areas.

FirstHealth has published a statement confirming the ransomware attack did not encrypt of patient information files, and reports that its Epic EHR was no under threat. However, access to its Epic data system has been restricted as part of its security protocol to stop the encryption of patient data and the system is still inaccessible. The MyChart service is active, but no information has been added to the system since the attack began.

Despite the fact that the attack was limited it did cause some disruption. FirstHealth has the task of individually checking 4,000 computing devices spread across 100 office and remote locations to confirm they have not been infected with the new variant of the virus – a process that will take a considerable amount of time.

FirstHealth is continuing to provide medical services to its clients, although the health network has had to cancel some patients appointments and delays are being experienced due to the lack of access to its systems. FirstHealth remarked, “Our team is working tirelessly to remediate the virus and get our system back up to be fully operational.”

FirstHealth says a patch to address the flaw targeted by the new Wannacry ransomware variant has been developed and the patch is being rolled out to all vulnerable devices. FirstHealth remarked, “This patch will be added to anti-virus software available for others in the industry to apply to their systems,” suggesting it is not the same resolution patch (MS17-010) that was made available by Microsoft in March to control the SMB vulnerability that the May 2017 WannaCry attacks targeted.

Author: Maria Perez