Harry Perkins Institute and Medusa Ransomware Attack
ABC Radio Perth called me this morning to ask about a recent Harry Perkins Institute of medical research ransomware attack. The audio is now posted here and I am at position 1:35:20 onwards. A more specific bit has now be posted here by ABC. This post summarises the notes I took while preparing for the brief morning interview.
Medusa Group started in June 2021 and likely has Russian connections as some of the scripts discovered had titles in Russian. Medusa should not be confused with similarly named MedusaLocker (usually derived via emails, so never click any links) that was around since 2019 or so. There is a great Unit42 write up about it that is worth a detailed read.
The group became famous in early 2023 when it attacked the Minneapolis School System and demanded $1M ransom that was not paid and thus the data was released to the public. Later in November 2023 the group hacked Toyota Financial Services by exploiting a remote desktop Citrix node that was not kept up to date. The group increased its activity significantly in 2024 in Australia with the Victoria Racing Club hacked two weeks ago and then East Coast North Coast Petroleum hacked last week. Finally, this week the Harry Perkins Institute internal building camera recordings were put online and announced widely on the Medusa Blog:
Some of the attacks can be tracked here and many of those attacked choose not to pay like in the case of the NSW Crown Princess Mary Cancer Centre which found that the breach was not as widespread as initially announced.
Medusa Group normally exploits the weaknesses in the Remote Desktop Protocol developed and widely used by Microsoft which often has incorrect or out of date settings applied. With Australia relying further and further on Telehealth and many of the medical providers across different states often having incompatible rules about how to access data and different regulations in place this is rife for exploitation. Furthermore, Medusa Group has a strong media arm that publicly announces all the exploits on the Medusa Blog accesible via Torrent link that can be found in the Unit42 report above.
In the case of Harry Perkings, it seems that the breach was limited to the security guards system with access to internal camera data only and not likely to have been extended to the private health records, although we won't know for sure until a few more days when the official investigation is completed. Furthermore, the group could have been "lucky" and found access to unsecure video camera feed or similar methods that often plague the remote video camera community that people unwittingly use at home and in other scenarious. One would hope that the IT systems were fully separated so that a breach in one system would not be able to propagate to the other systems. Medusa Group utilises tools such as NetScan to explore all possible devices reachable from the initially breached node. Finally, security always promotes principle of least privilege which we would hope any medical organisation would use when granting access to remote workers.
The usual sensible advice applies: keeping your software up to date (Toyota failed that above), never-ever-ever click on links in any email no matter how trustworthy they look, backup your data at all times and frequently and keep it offsite. Securing your remote desktop access in a healthcare setting is also of utmost importance.
To conclude, I want to repeat my call for the Australian Government to support our very strong research groups on Trustworthy Systems that can be mathematically proved to guarantee the absence of bugs and thus potential zero day exploits. Australia has some of the leading researchers in formal methods, secure programming language design, and related areas (including yours truly) and we desperately need our government to stop chasing unreachable Quantum dreams and instead fund research to improve deep trust in critical software. Please contact me for any futher information!
Associate Professor Alex Potanin, Australian National University
Comments
Post a Comment