Weekly podcast: hospital ransomware, USB trojan and iMessage security

In this week’s podcast, we look at another ransomware attacks on hospitals, a new USB trojan and a serious iMessage security flaw.

Hello and welcome to the IT Governance podcast for Friday, 25th March. Happy Easter. Here are this week’s stories…

First, more news of ransomware – malware that encrypts users’ files until a ransom is paid, at which point a decryption key is (usually) supplied.

Weeks after we reported that Hollywood Presbyterian Medical Center in Los Angeles paid criminal hackers a $17,000 ransom to regain control of its computer systems following a ransomware attack, it has emerged that three more US hospitals’ IT systems have been attacked.

Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, California were all infected with ransomware. None of the hospitals are thought to have paid a ransom and all three’s systems are now up and running again.

In the case of Kentucky Methodist Hospital, the pervasive new strain of ransomware called ‘Locky’ was identified. The Locky campaign is still rampaging, its success largely predicated on the fact that it spreads via JavaScript attachments that are designed to evade antivirus detection. (You’ll remember from our podcast two weeks ago that Trustwave had warned of “[extraordinarily] huge volumes of JavaScript attachments being spammed out”, which lead to the download of Locky.)

Be careful what you click, don’t open attachments unless you’re certain they’re safe, and train your staff to exercise caution.

Security experts at Eset have warned of a new trojan that spreads exclusively via USB devices – bad news if you think you’re automatically protected from attack if you’re not connected to the Internet. Dubbed ‘USB Thief’, the trojan leaves no evidence on compromised computers – meaning that after the USB is removed, there is no way of knowing that data has been stolen – and, Eset says, “uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.”

Use of USB Thief is not widespread, but it can be used in targeted attacks. Eset suggests that “USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use. It’s highly desirable for staff at all levels to undergo cybersecurity training – including real-life testing – if possible”.

As we reported last November, a CompTIA study found that 17% of users picked up and plugged unknown USB sticks into their devices, and “technical literacy was not a determining factor” in their behaviour – more proof, if proof be needed, that staff training is essential for good corporate security.

Apple has released a new version of its mobile operating system – iOS 9.3 – which includes a patch to repair a serious flaw in its iMessage encryption system. (Yes, the same Apple that’s fighting the FBI over encryption.) The vulnerability was identified by researchers at Johns Hopkins University, who, according to the Washington Post, found that it “would enable a skilled attacker to decrypt photos and videos sent as secure instant messages”.

Professor Matthew D Green said: “Even Apple, with all their skills — and they have terrific cryptographers — wasn’t able to quite get this right. So it scares me that we’re having this conversation about adding back doors to encryption when we can’t even get basic encryption right.”

If you’ve got an iPhone or iPad – or use them at work – update to the new iOS as soon as you can. Your apparently encrypted iMessages are not quite as secure as you think.

And… that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.


  1. Tom Ellis 29th March 2016
    • Lewis Morgan 30th March 2016