Locky Ransomware Causes ‘Internal State of Emergency’ at Kentucky Hospital

The ransomware Locky took another victim this week: Henderson, Kentucky’s Methodist Hospital.

For a strain of ransomware that’s only been in the wild for a little more than a month, Locky has sure been able to make a name for itself.

The malware gained notoriety last month when it confounded administrators at the Hollywood Presbyterian Medical Center in Los Angeles and apparently took another victim this week in Henderson, Kentucky’s Methodist Hospital.

The hospital, a 217 bed acute care facility on the Ohio River, affixed a scrolling red bar to the top of its website this week claiming it was working in an “Internal State of Emergency due to a computer virus” that limited its “use of electronic web based services.”

The attack came after an employee opened a spam email attachment and initiated a Locky infection, according to KrebsonSecurity.com‘s Brian Krebs, who spoke with Jamie Reid, the hospital’s information systems director this week.

The attack began last Friday and lasted for four days. Officials at the hospital told a reporter at a local news station on Monday their system was “up and running.” Unlike Hollywood Presbyterian, which reportedly paid $17,000 to get its files back, Methodist officials claim not to have paid.


The hospital’s chief operating officer David Park told 14 News last Friday that the attackers copied patients’ records, encrypted them and deleted the originals, a pattern of activity that resembles Locky. As is customary with attacks of this nature, Park acknowledged the hospital was working with the FBI and that it activated a backup of its system shortly after the attack started.

According to Reid, the ransomware quickly managed to spread from one machine to the entire network, something that forced the hospital to take all of its computers offline until it could scan each one for the ransomware.

Before the issue resolved itself, Park told Krebs the hospital hadn’t ruled out paying the ransom, adding that they weren’t planning on paying it unless they absolutely had to.

In a letter to hospital employees last Friday, Park and Bruce Begley, Methodist Hospital’s CEO, claimed the hospital’s Information Systems Department was looking into the issue and “working diligently in a systematic approach.” The memorandum encouraged departments to “utilize their down-time policy” and communicate strictly through text and “one-call now messages.”

Screen Shot 2016-03-23 at 8.54.20 AM

For what it’s worth officials at the hospital told 14 News’ Jessica Gavin that in the wake of the attack they’re restructuring their network and starting an employee training program to prevent future virus outbreaks.


While hospitals have increasingly found themselves targets for ransomware over the last few months, Lawrence Abrams, a computer forensics expert and founder of BleepingComputer.com, doesn’t think attackers are singling out them out in particular.

“I do not believe at this time that the ransomware developers and distributors in these stories are actually targeting hospitals. They are instead looking for vulnerable sites to hack in order to spread ransomware and hospitals that were infected did so by user error,” Abrams wrote Tuesday.

“I do believe, though, that business and organizations that are heavily data and document driven will in the future be specifically targeted by ransomware developers,” he said, adding that hospitals, lawyers, and architects will likely continue to be hit, since the infections leverage documents.

Researchers spotted the first spate of Locky infections, which used document-based macros to download and execute the payload, in early February. The early sightings were interesting in the sense that they used a technique employed by Dridex — trick a user into opening a booby-trapped Word file, get them to enable macros, then the ransomware goes to work.

Two weeks ago researchers at Trustwave observed a massive uptick in Locky distribution spurred by a different vector – an intense spam campaign – that suggests macros are no longer required.

The campaign sends users a .zip archive that contains malicious JavaScript that downloads and executes the Locky payload, according to researchers at zScaler who also witnessed a surge of infections over the last three weeks and published their findings Tuesday.

According to Deepen Desai and Dhanalakshmi PK, the researchers who penned the blog post, the ransomware has evolved into one of the most active and lucrative malware strains they’ve seen in the past three years.

Spam email attachments composed the majority of attacks the researchers saw. Once initiated, the payload for the Locky variant the researchers analyzed was a 32-bit Microsoft Visual C++ compiled Windows .exe file, packed via a custom packer routine.

As other outlets have noted, Locky encrypts files, it renames them with a “.locky” extension and prompts users to pay in Bitcoin to retrieve them. While Methodist Hospital didn’t have to pay a ransom, Krebs claims attackers originally asked the hospital for four Bitcoin, or roughly $1,600.

Suggested articles