Ransomware: In the Healthcare Sector

It is hard to ignore the recent increase in reporting of hospitals victimized by ransomware. Ransomware has become such an issue that the MS-ISAC, along with our partners at the National Health Information Sharing and Analysis Center (NH-ISAC) and Financial Services Information Sharing and Analysis Center (FS-ISAC), teamed up to host trainings around the country on how to defend against it. Ransomware is a type of malware that infects systems and files, rendering them inaccessible until a ransom is paid. When this occurs in the healthcare industry, critical processes are slowed or become completely inoperable. Hospitals are then forced to go back to utilizing pen and paper, slowing the medical process and ultimately soaking up funds that may otherwise have been allocated to the modernization of the hospital.

Typically, ransomware infects victim machines in one of three ways:

  • through phishing emails containing a malicious attachment
  • via a user clicking on a malicious link
  • by viewing an advertisement containing malware (malvertising)

Ever-evolving variants and tactics, techniques, and procedures (TTPs) make it hard for security experts to keep up. Additionally, platforms such as ransomware as a service[i] (RaaS) make it easy for anyone with little to no technical skill to launch ransomware attacks against victims of their choosing.


Recently, multiple hospitals across the country were infected with ransomware via outdated JBoss[ii] server software. In these cases, the attacker uploaded malware to the out-of-date server without any interaction from the victim, as opposed to infecting the hospitals through common workstations used by everyday staff. Hollywood Presbyterian Hospital in California was one of the hospitals affected, in a case which delayed patient care and ultimately resulted in the hospital paying $17,000 to re-gain access to files and their network. Actors used an open source tool, JexBoss, to search the Internet for vulnerable JBoss servers, and infected networks, regardless of what industry they were running on. While there is no definitive proof, some have speculated that the high ransom demands observed in healthcare related cases indicated the cyber threat actors were aware of who they had infected. They may have been aware that devices compromised in an infection process are often crucial to a hospitals’ mission, and the ransomware may render them inaccessible, delaying patient care while causing tremendous pressure to remediate the issue immediately. This pressure, combined with the fact that hospitals generally have financial resources on hand, potentially increases the likelihood the attackers will be paid.


For organizations which haven’t prepared for this attack, ransomware can be extremely damaging to day-to-day operations by blocking access to files and systems. MS-ISAC’s Primer on ransomware outlines the crucial steps every organization should take to heighten defenses against ransomware by properly securing networks, systems, and the end user. Keeping your anti-virus current, implementing proper email filtering, and maintaining up-to-date back-ups and storing them offline are just a few of the recommendations you’ll find in the Primer to help harden your organization against the threat of ransomware.

Want to learn more about how to defend your healthcare organization against ransomware? Watch this webinar to see how CIS & AWS can help you.



U.S. hospitals can get access to Malicious Domain Blocking and Reporting (MDBR) to help defend against ransomware at no cost. *


[i] What is RaaS? Ransomware as a service (RaaS) is a new platform designed to enable someone with very little know how about malware, code, or cyber attacks, to conduct a ransomware attack and turn a profit. RaaS is designed to operate with a user-friendly platform that allows the attacker to simply pick their victim, set the ransom, pick a payment deadline and bitcoin wallet address, and deploy a ransomware variant. The developers of many RaaS platforms take a percentage of whatever the attacker is paid.

[ii] What is a JBoss Server? JBoss is an open-source application server program, which is a platform for developing and deploying enterprise java applications, services, and web portals. JBoss is an open source alternative to commercial options such as IBM WebSphere, Oracle BAE, or SAP NetWeaver. The last JBoss version released was 7.1.1, in 2012. Following that final release, JBoss’s name was switched to Wildfly. If you are running an applications server by the name of JBoss… it is out-of-date and has been for years!

*While MDBR was offered at no-cost to U.S. private hospitals for a limited time, that offering has been discontinued in favor of MDBR+, a low cost, cloud-based secure DNS service that provides real-time reporting, custom configurations, and off-network device protection. Learn more about MDBR+ here.