ECKAAA’s Servers Attacked by Ransomware

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has recently announced that it experienced a ransomware attack. The attack caused files on one of the agency’s servers to be encrypted, and thus inaccessible to the agency. They announced that the files contained the protected health information (PHI) of 8,750 patients.

The attack occurred on September 5, 2017. It was immediately recognized by ECKAAA’s security software. The agency quickly implemented measures to limit the spread of the ransomware infection. Due to their quick actions, only parts of the server had files encrypted. Those files were discovered to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security numbers.

In response to the attack, ECKAAA hired a cybersecurity firm to assist with the investigation and determine the true extent and nature of the attack. The investigation, which took several weeks, revealed the ransomware variant used was a variant of Crysis/Dharma. This is a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to delay the recovery of the information.

The investigation did not discover any evidence of exfiltration of the data having occurred. The investigators were unable to determine if the data had been accessed or stolen. ECKAAA reports that while not all files on the server were encrypted, the attackers potentially had access to all files saved on the server.

Prior to the ransomware attack, ECKAAA had implemented safeguards to protect against malware attacks and to ensure files could be recovered in the event of disaster. Although these measures were unable to block the ransomware attack, these precautions made it was possible for the agency to recover all the encrypted files without paying the ransom to the hackers.

Since the recovery of the files, ECKAAA has implemented several new measures to improve security. Those measures include the use of CrowdStrike advanced malware agents and subscription to Cisco Umbrella Insights to improve security monitoring.
Additional training has also been given to staff to improve awareness of the threat from ransomware, a full password reset has taken place, and staff have been reminded about the importance of selecting strong passwords. A review of policies and procedures is also taking place and they will be updated accordingly to reduce the risk of future attacks occurring.

In compliance with the HIPAA Breach Notification Rule, ECKAAA conducted a full breach response. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights, a substitute breach notice was placed prominently on the ECKAAA website, and media reports were submitted to prominent newspapers serving each of the five counties in which the agency operates. All individuals have now been notified of the potential breach of their PHI by mail.