National Veterinary Associates (NVA) has been hit with the Ryuk ransomware, in an attack that affects 400 clinics across the country.
The California company said that it could take a week for its facilities to be fully back up and running normally. Patient records, payment systems and practice management software were all locked up in the attack.
NVA said it discovered the ransomware outbreak on Oct. 27 and hired two outside security firms to help it recover. Affected clinics now have regained access to patient records.
NVA CMO Laura Koester confirmed the attack to independent researcher Brian Krebs, but declined to say whether the ransom was paid, or how it arrived on NVA systems. She noted that each NVA location runs its own IT operations; it’s unclear if there’s a wide-area network (WAN) or other common connection linking the affected locations (NVA has about 700 clinics in total). However, NVA head of technology Greg Hartmann said that it was a supply-chain attack.
“The virus eventually found three smaller points of entry through accounts that were unaffiliated with NVA, but unfortunately opened within our network,” Hartmann wrote in an internal memo obtained by Krebs. “Upon discovery of the incident, our technology team immediately implemented procedures to prevent the malware from spreading; however, many local systems were affected. Still, we have many hospitals whose systems are not recovered. The technology team continues to set up interim workstations at each affected hospital while they prepare to rebuild servers.”
NVA did not immediately respond to a request for comment, but Colin Bastable, CEO of security awareness training company Lucy Security, said that social engineering was the likely attack vector.
“Ninety-seven percent of successful attacks involve some form of social engineering, and over 90 percent start with a phishing email,” Bastable said via email. “When I demonstrate spoofing emails, around 10 percent of them get straight through to the prospect, after they always assure me that they have perfect defenses. This is especially so in government, which explains why ransomware is so effective in crippling state and local government. Ransomware attacks can wipe out entire systems in minutes – have a recovery plan and know what you will do when you are hit. Planning in advance is better than making it up when you have no phones, no email and no data.”
Ryuk is a ransomware strain distributed by the Russian-speaking Wizard Spider financial crime syndicate, first spotted in August 2018. Since then, it has been involved in several high-profile attacks, such as a coordinated, targeted ransomware cyberattack on 23 Texas local and state entities in August.
The Ryuk ransomware has recently added two features to enhance its effectiveness as well: The ability to target systems that are in ‘standby’ or sleep mode that it otherwise would have no ability to encrypt; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.
“The destructive power of ransomware, especially Ryuk, continues to show how vulnerable organizations are regardless of their size,” Erich Kron, security awareness advocate at KnowBe4, said via email. “It is also a lesson in how long the impact of ransomware can be felt. According to Kaspersky, 34 percent of businesses hit with ransomware took a week or more to regain access to their data. That can be crippling to any size organization that’s not prepared for it.”