The new year is starting off with several ransomware attacks, including a high-profile attack at Allscripts. This particular incident highlights the significant time needed to recover and the impact of customer downtime.

We posted earlier in the month about how Hancock Health was recently targeted with a ransomware infection. The attack was initiated through the supply chain and used the SamSam ransomware variant. Hancock chose to pay the ransom to the hacker.

The latest ransomware attacks to hit the headlines highlight different response approaches: recovery vs payment.

Recovery and Payment Responses

Allscripts was also attacked using a variant of the SamSam ransomware. The electronic health records (EHR) vendor is still working to restore full operations after the January 18 attack.

The attack targeted Allscripts data centers, impacting those customers who used a hosted version of the EHR software. According to HIStalk, the vulnerability that was exploited wasn’t within the Allscripts application, so self-hosted customers are not at risk.

Allscripts continues to work on restoring data via backups, which were not affected by ransomware, and alternative access methods. They haven’t indicated whether they paid a ransom.

Allscripts released a statement late on January 22 that provided some additional details:

  • Roughly 1,500 clients were impacted, none of whom were hospitals or large independent physician practices. Services to many have been restored.
  • There is no evidence that data was removed from Allscripts systems.

Affected customers have been very vocal on Twitter, citing cancelled surgeries and patient appointments, and staff overtime hours.

DGH Engineering Ltd responded to its ransomware attack by paying the ransom demand. An employee fell prey to a malicious email in this case, clicking a link that resulted in encryption of the company’s servers and its backups.

Given the sensitive data affected, including payroll data, and the fact that backups were encrypted, the firm had little choice but to pay the ransom.

How to Prevent and Mitigate Ransomware Attacks

Here are some tactics organizations can employ to prevent and mitigate against ransomware attacks:

  • A robust backup plan is key. Multiple backup copies in multiple formats ensures redundancy and guards against backup encryption by hackers.
  • For customers dependent on hosted or cloud-based services, assess how the vendor commits to responding in the event of a disaster. Does the vendor offer a downtime or disaster recovery service?
  • Periodic phishing simulations are necessary to keep staff vigilant. It’s a win-win situation: staff who avoid the scam prove readiness, and staff who fall prey get an opportunity for additional coaching.
  • Ransomware can be introduced via illegitimate use of valid logon credentials. Activity and network monitoring software can alert administrators to successful logins at unusual times or successful logins from unusual locations. Click below to learn more about Teramind.

Insider Threat Detection