New WannaCry Virus Attacks FirthHealth, Carolinas

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has recently announced that it has experienced a data breach. They have identified the cause of this breach to be the new, rampant, WannaCry ransomware variant.

WannaCry ransomware was used in worldwide attacks in earlier this year. More than 230,000 computers were infected within a day of the launch of the attacks. The ransomware variant had “wormlike” properties; it can spread rapidly and affecting all vulnerable networked devices, encrypting files and holding them for ransom. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant.

The FirstHealth ransomware attack on the organisation occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced.

FirstHealth reports that its information system team detected the attack immediately. They rapidly implemented security protocols to prevent the spread of the malware to other networked devices. Although the attack was detected quickly, the ransomware was discovered to have spread to other devices in the same work areas.

The company has issued a statement confirming the ransomware attack did not involve the encryption of patient information, and reports that its Epic EHR was unaffected. However, access to its Epic system has been blocked as part of its security protocol to prevent the encryption of patient data. The system is still inaccessible. Their “MyChart” service is online, but no information has been uploaded to the system since the attack occurred.

FirstHealth now must check each of its 4,000 devices spread across 100 locations to confirm they have not been infected with the virus. This process will take a considerable amount of time and resources for the organisation to perform. However, they must do so to ensure that the malware does not cause further disruption.
FirstHealth is continuing to provide medical services to patients, although the health network has had to cancel some appointments. Patients are experiencing delays in receiving attention due to the lack of access to its systems. FirstHealth said, “Our team is working tirelessly to remediate the virus and get our system back up to be fully operational.”

FirstHealth says a patch to address the vulnerability exploited by the new Wannacry ransomware variant has been developed and the patch is being applied on all vulnerable devices. FirstHealth said, “This patch will be added to anti-virus software available for others in the industry to apply to their systems,” suggesting it is not the same patch (MS17-010) that was made available by Microsoft in March to block the SMB flaw that the May 2017 WannaCry attacks exploited.