WannaCry Ransomware Variant Attacks FirstHealth Data

A new WannaCry ransomware variant has been used to attack FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network.

WannaCry ransomware was used in worldwide attacks earlier in May. Over 230,000 computers were infected within 24 hours of the global attacks starting. The ransomware variant had wormlike properties and could spread rapidly and affecting all vulnerable networked comptuers. The campaign was brought to and when a kill switch was identified and activated, preventing file encryption by the virus.  However, FirstHealth has discovered the malware used in its attack and believes it is a new WarnnaCry ransomware variant.

The FirstHealth ransomware attack happened on October 17, 2017. The ransomware is thought to have been introduced via a non-clinical device, although reviews into the initial entry point are ongoing to deduce exactly how the virus was introduced.

FirstHealth has stated that its information system team discovered the attack immediately and implemented security protocols to prevent the spread of the malware to other networked computers. While the attack was discovered rapidly, the ransomware did spread to other devices in the same work locations.

FirstHealth has released a statement confirming the ransomware attack did not include the encryption of patient data, and reports that its Epic EHR was no harmed. However, access to its Epic system has been restricted as part of its security protocol to prevent the encryption of patient information and the system is still inaccessible. The MyChart service is online, but no data has been uploaded to the system since the attack happened.

Even though the attack was restricted it has caused considerable harm. FirstHealth has the difficult task of individually checking 4,000 devices spread across 100 locations to affirm they have not been infected with the virus – a process that will take a significant amount of time.

FirstHealth is providing ongoing medical services to patients, although the health network has had to cancel some appointments and patients are experiencing time delays due to the lack of access to its data systems. FirstHealth commented, “Our team is working tirelessly to remediate the virus and get our system back up to be fully operational.”

FirstHealth says a patch to address the weakness exploited by the new Wannacry ransomware variant has been developed and the patch is being issued to all vulnerable devices. FirstHealth commented, “This patch will be added to anti-virus software available for others in the industry to apply to their systems,” implying it is not the same patch (MS17-010) that was made available by Microsoft in March to obstruct the SMB weakness that the May 2017 WannaCry cyber attacks exploited.