A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.

Milwaukee, Wisc. based Virtual Care Provider Inc. (VCPI) provides IT consulting, Internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. All told, VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities.

At around 1:30 a.m. CT on Nov. 17, unknown attackers launched a ransomware strain known as Ryuk inside VCPI’s networks, encrypting all data the company hosts for its clients and demanding a whopping $14 million ransom in exchange for a digital key needed to unlock access to the files. Ryuk has made a name for itself targeting businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay.

In an interview with KrebsOnSecurity today, VCPI chief executive and owner Karen Christianson said the attack had affected virtually all of their core offerings, including Internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

The care facilities that VCPI serves access their records and other systems outsourced to VCPI by using a Citrix-based virtual private networking (VPN) platform, and Christianson said restoring customer access to this functionality is the company’s top priority right now.

“We have employees asking when we’re going to make payroll,” Christianson said. “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

Christianson said her firm cannot afford to pay the ransom amount being demanded — roughly $14 million worth of Bitcoin — and said some clients will soon be in danger of having to shut their doors if VCPI can’t recover from the attack.

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she said. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

The ongoing incident at VCPI is just the latest in a string of ransomware attacks against healthcare organizations, which typically operate on razor thin profit margins and have comparatively little funds to invest in maintaining and securing their IT systems.

Earlier this week, a 1,300-bed hospital in France was hit by ransomware that knocked its computer systems offline, causing “very long delays in care” and forcing staff to resort to pen and paper.

On Nov. 20, Cape Girardeau, Mo.-based Saint Francis Healthcare System began notifying patients about a ransomware attack that left physicians unable to access medical records prior to Jan. 1.

Tragically, there is evidence to suggest that patient outcomes can suffer even after the dust settles from a ransomware infestation at a healthcare provider. New research indicates hospitals and other care facilities that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among certain patients in the following months or years because of cybersecurity remediation efforts.

Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.

Their findings suggest that after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers concluded that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Companies hit by the Ryuk ransomware all too often are compromised for months or even years before the intruders get around to mapping out the target’s internal networks and compromising key resources and data backup systems. Typically, the initial infection stems from a booby-trapped email attachment that is used to download additional malware — such as Trickbot and Emotet.

In this case, there is evidence to suggest that VCPI was compromised by one (or both) of these malware strains on multiple occasions over the past year. Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security, showed KrebsOnSecurity information obtained from monitoring dark web communications which suggested the initial intrusion may have begun as far back as September 2018.

Holden said the attack was preventable up until the very end when the ransomware was deployed, and that this attack once again shows that even after the initial Trickbot or Emotet infection, companies can still prevent a ransomware attack. That is, of course, assuming they’re in the habit of regularly looking for signs of an intrusion.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.”

VCPI’s CEO said her organization plans to publicly document everything that has happened so far when (and if) this attack is brought under control, but for now the company is fully focused on rebuilding systems and restoring operations, and on keeping clients informed at every step of the way.

“We’re going to make it part of our strategy to share everything we’re going through,” Christianson said, adding that when the company initially tried several efforts to sidestep the intruders their phone systems came under concerted assault. “But we’re still under attack, and as soon as we can open, we’re going to document everything.”

A 21-year-old Illinois man was sentenced last week to 13 months in prison for running multiple DDoS-for-hire services that launched millions of attacks over several years. This individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both the defendant and his father and urged the latter to take a more active interest in his son’s online activities.

The jail time was handed down to Sergiy P. Usatyuk of Orland Park, Ill., who pleaded guilty in February to one count of conspiracy to cause damage to Internet-connected computers and owning, administering and supporting illegal “booter” or “stresser” services designed to knock Web sites offline, including exostress[.]in, quezstresser[.]com, betabooter[.]com, databooter[.]com, instabooter[.]com, polystress[.]com and zstress[.]net.

According to the U.S. Justice Department, in just the first 13 months of the 27-month long conspiracy, Usatyuk’s booter users ordered approximately 3,829,812 DDoS attacks. As of September 12, 2017, ExoStresser advertised on its website that this one booter service had launched 1,367,610 DDoS attacks, and caused targets to suffer 109,186.4 hours of network downtime (-4,549 days).

Usatyuk — operating under the hacker aliases “Andrew Quez” and “Brian Martinez,” among others — admitted developing, controlling and operating the aforementioned booter services from around August 2015 through November 2017. But Usatyuk’s involvement in the DDoS-for-hire space very much predates that period.

In February 2014, KrebsOnSecurity reached out to Usatyuk’s father Peter Usatyuk, an assistant professor at the University of Illinois at Chicago. I did so because a brief amount of sleuthing on Hackforums[.]net revealed that his then 15-year-old son Sergiy — who at the time went by the nicknames “Rasbora” and “Mr. Booter Master” — was heavily involved in helping to launch crippling DDoS attacks.

I phoned Usatyuk the elder because Sergiy’s alter egos had been posting evidence on Hackforums and elsewhere that he’d just hit KrebsOnSecurity.com with a 200 Gbps DDoS attack, which was then considered a fairly impressive DDoS assault.

“I am writing you after our phone conversation just to confirm that you may call evening time/weekend to talk to my son Sergio regarding to your reasons,” Peter Usatyuk wrote in an email to this author on Feb. 13, 2014. “I also have [a] major concern what my 15 yo son [is] doing. If you think that is any kind of illegal work, please, let me know.”

That 2014 story declined to quote Rasbora by name because he was a minor then, but his father seemed alarmed enough about my inquiry that he insisted his son speak with me about the matter.

Here’s  an excerpt of what I wrote about Sergiy at the time:

Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire.

“I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.”

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

I’m guessing young Sergiy never had his Internet privileges revoked, nor did he heed advice to use his skills for less destructive activities. His dad hung up on me when I called Wednesday evening requesting comment.

In addition to serving the 13-month jail sentence and three years of supervised release, Usatyuk will forfeit $542,925 in proceeds from the scheme, as well as dozens of servers and other computer equipment that powered his many DDoS-for-hire businesses.

National Veterinary Associates (NVA), a California company that owns more than 700 animal care facilities around the globe, is still working to recover from a ransomware attack late last month that affected more than half of those properties, separating many veterinary practices from their patient records, payment systems and practice management software. NVA says it expects to have all facilities fully back up and running normally within the next week.

Agoura Hills, Calif.-based NVA bills itself as is the largest private owner of freestanding veterinary hospitals in the United States. The company’s Web site says it currently owns roughly 700 veterinary hospitals and animal boarding facilities in the United States, Canada, Australia and New Zealand.

NVA said it discovered the ransomware outbreak on the morning of Sunday, Oct. 27, and soon after hired two outside security firms to investigate and remediate the attack. A source close to the investigation told KrebsOnSecurity that NVA was hit with Ryuk, a ransomware strain first spotted in August 2018 that targets mostly large organizations for a high-ransom return.

NVA declined to answer questions about the malware, or whether the NVA paid the ransom demand.

“It was ransomware, but we’ve been referring to it as a malware incident,” said Laura Koester, NVA’s chief marketing officer.

Koester said because every NVA hospital runs their IT operations as they see fit, not all were affected. More importantly, she said, all of the NVA’s hospitals have remained open and able to see clients (animals in need of care), and access to patient records has been fully restored to all affected hospitals.

“For a few days, some [pet owners] couldn’t do online bookings, and some hospitals had to look at different records for their patients,” Koester said. “But throughout this whole thing, if there was a sick animal, we saw them. No one closed their doors.”

The source close to the investigation painted a slight less rosy picture of the situation at NVA, and said the company’s response has been complicated by the effects of wildfires surrounding its headquarters in Los Angeles County: A year ago, a destructive wildfire in Los Angeles and Ventura Counties burned almost 100,00 acres, destroyed more than 1,600 structures, killed three people and prompted the evacuation of nearly 300,000 people — including all residents of Agoura Hills.

“The support center was scheduled to be closed on Friday Oct 25, 2019 due to poor air quality caused by wildfires to the north,” said the source, who asked to remain anonymous. “Around 2 am PT [Oct. 27], the Ryuk virus was unleashed at NVA. Approximately 400 locations were infected. [Microsoft] Active Directory and Exchange servers were infected. Many of the infected locations immediately lost access to their Patient Information Management systems (PIMs). These locations were immediately unable to provide care.”

The source shared internal communications from different NVA executives to their hospitals about the extent of the remediation efforts and possible source of the compromise, which seemed to suggest that at least some NVA properties have been struggling to accommodate patients.

A missive from NVA’s Director of Operations Robert Hill on Oct. 30 acknowledged that “we continue to be faced with a monumental effort to restore IT service [to] nearly 400 of our hospitals.”

“This really hit home for me Saturday,” Hill wrote. “One of my best friends had to take his Yellow Lab into Conejo Valley for urgent care. Thankfully CV was able to provide care as their [systems] were up and running, but many of our hospitals are not in as good shape.”

In an update sent to NVA hospitals on Nov. 6, the company’s new head of technology Greg Hartmann said its security system successfully blocked the ransomware from infiltrating its systems — at least at first.

“Because of the scale of the attack, the virus eventually found three smaller points of entry through accounts that were unaffiliated with NVA, but unfortunately opened within our network,” Hartmann said. “Upon discovery of the incident, our technology team immediately implemented procedures to prevent the malware from spreading; however, many local systems were affected. Still, we have many hospitals whose systems are not recovered. The technology team continues to set up interim workstations at each affected hospital while they prepare to rebuild servers.”

The source told KrebsOnSecurity that NVA suffered a separate ransomware infestation earlier this summer that also involved Ryuk, and they expressed concern that the first incident may not have been fully remediated — potentially letting the attackers maintain a foothold within the organization.

“This is the second time this year Ryuk struck NVA,” the source said. “The first time, NVA was rather open to all facilities about what happened. This time, however, they are simply referring to it as a ‘system outage.'”

Koester said some NVA facilities did get hit with a malware incident earlier this year, but that she did not believe ransomware was involved in that intrusion.

The Ryuk ransomware has made a name for itself going after businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay. In February, payroll software provider Apex Human Capital Management chose to pay the ransom demand after a Ryuk infection severed payroll management services for hundreds of the company’s customers. And on Christmas Eve 2018, cloud hosting provider Dataresolution.net suffered a multi-week outage after a Ryuk attack.

According to a bulletin released by the FBI in May, cybercriminals had targeted over 100 U.S. and international businesses with Ryuk since August 2018. Security firm CrowdStrike estimated that attackers deploying Ryuk had netted over $3.7 million in bitcoin ransom payments between Aug. 2018 and January 2019.

Many people and organizations may be under the impression that ransomware attacks like Ryuk can appear at a moment’s notice merely from someone clicking a malicious link or opening a booby-trapped email attachment. While the latter appears to be the most common vector for ransomware infestations, an advisory released in September by the U.K’s National Cyber Security Centre suggests most Ryuk victims are compromised weeks or months before the ransomware is actually deployed inside the victim’s network.

“The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out
reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack,” reads the NCSC advisory, which includes tips on spotting signs of a Ryuk infection. “But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”

As for what changes NVA will be making to prevent yet another ransomware outbreak, an internal update on Nov. 7 from NVA’s chief information officer Joe Leggio said NVA was investing in software from Carbon Black, a cloud-based security solution that will be installed on all NVA property computers.

“Throughout my career, I have witnessed incredible advances in technology making our lives better,” Leggio wrote. “At nearly the same rate, the bad guys have been increasing the aggressiveness and sophistication of their attacks. As we rebuild, we are also thinking of the future. That is why we are investing in cybersecurity talent, new infrastructure, and better software.”

The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.

On the surface, the charges the U.S. government has leveled against Burkov may seem fairly unremarkable: Prosecutors say he ran a credit card fraud forum called CardPlanet that sold more than 150,000 stolen cards.

However, a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.

Burkov calls himself a specialist in information security and denies having committed the crimes for which he’s been charged. But according to denizens of several Russian-language cybercrime forums that have been following his case in the Israeli news media, Burkov was by all accounts an elite cybercrook who primarily operated under the hacker alias “K0pa.”

This is the same nickname used by an individual who served as co-administrator of perhaps the most exclusive Russian-language hacking forums ever created, including Mazafaka and DirectConnection.

Since their inception in the mid-aughts, both of these forums have been among the most difficult to join — admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” — or guarantees — from at least three existing members. Also, neither forum was accessible or even visible to anyone without a special encryption certificate supplied by forum administrators that allowed the sites to load properly in a Web browser.

Notably, some of the world’s most-wanted cybercriminals were members of these two highly exclusive forums, and many of those individuals have already been arrested, extradited and tried for various cybercrime charges in the United States over the years. Those include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

A user database obtained by KrebsOnSecurity several years back indicates K0pa relied on the same email address he used to register at Mazafaka and DirectConnection to register the user account “Botnet” on Spamdot, which for years was the closely-guarded stomping ground of the world’s most prolific spammers and virus writers, as well as hackers who created services catering to both professions.

As a reporter for The Washington Post in 2008, I wrote about the core offering that K0pa/Botnet advertised on Spamdot and other exclusive forums: A botnet-based anonymity service called FraudCrew. This service sold access to hacked computers, which FraudCrew customers used for the purposes of hiding their real location online while conducting cybercriminal activities.

K0pa also was a top staff member at Verified, among the oldest and most venerated of Russian language cybercrime forums. Specifically, K0pa’s role at Verified was in maintaining its blacklist, a dispute resolution process designed to weed out “dishonest” cybercriminals who seek only to rip off less experienced crooks. From this vantage point, K0pa would have held considerable sway on the forum, and almost certainly played a key role in vetting new applicants to the site.

Prior to his ascendance at these forums, K0pa was perhaps best known for being a founding member of a hacker group calling themselves the CyberLords. Over nearly a decade, the CyberLords team would release dozens of hacking tools and exploits targeting previously unknown security vulnerabilities in Web-based services and computer software.

A DIRECT CONNECTION?

According to security firm Cybereason, Russia has a history of using contractors — even cybercriminals — to run intelligence operations. These crooks-turned-spies “offer a resource to the state while enjoying a cloak of semi-protected ‘status’ for their extracurricular activities, provided they are directed against foreign targets.”

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,” reads a 2017 story from The Register on Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.”

It’s probably worth noting that also present on both DirectConnection and Mazafaka were the core members of a prolific gang of online bank robbers called the JabberZeus Crew, who used custom versions of the ZeuS Trojan to steal tens — if not hundreds — of millions of dollars from hacked small businesses across the United States. In 2011, most of that crew was rounded up in an international cybercrime crackdown, although virtually all of them escaped prosecution in their home countries (mainly Russia and Ukraine).

I mention this because K0pa also was in regular communications with — if not a core member of –the JabberZeus crew. This gang worked directly with the author of the ZeuS trojan — Evgeniy “Slavik” Bogachev — a Russian man with a $3 million bounty on his head from the FBI. The cybercriminal organization Bogchev allegedly ran was responsible for the theft of more than $100 million from banks and businesses worldwide that were infected with his ZeuS malware. That organization, dubbed the “Business Club,” had members spanning most of Russia’s 11 time zones.

Fox-IT, a Dutch security firm that infiltrated the Business Club’s back-end operations, found that beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled his cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

Likewise, the keyword searches that Slavik used to scour bot-infected systems in Turkey suggested the botmaster was searching for specific files from the Turkish Ministry of Foreign Affairs – a specialized police unit. Fox-IT said it was clear that Slavik was looking to intercept communications about the conflict in Syria on Turkey’s southern border — one that Russia has supported by reportedly shipping arms into the region.

To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government. On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.

Further reading, including the fascinating story on the diplomatic back and forth between Russia and Israel mentioned in the first paragraph: The Russian Hacker Who Just Became One of Israel’s Most Famous Prisoners.

How Russia Recruited Elite Hackers for Its Cyberwar

In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. This week, Canadian authorities criminally charged him with orchestrating an international malware scheme.

The accused, 36-year-old John “Armada” Revesz, has maintained that Orcus is a legitimate “Remote Administration Tool” aimed at helping system administrators remotely manage their computers, and that he’s not responsible for how licensed customers use his product.

In my 2016 piece, however, several sources noted that Armada and his team were marketing it more like a Remote Access Trojan, providing ongoing technical support and help to customers who’d purchased Orcus but were having trouble figuring out how to infect new machines or hide their activities online.

Follow-up reporting revealed that the list of features and plugins advertised for Orcus includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

Canadian investigators don’t appear to be buying Revesz’ claims. On Monday the Royal Canadian Mounted Police (RCMP) announced it had charged Revesz with operating an international malware distribution scheme under the company name “Orcus Technologies.”

“An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a ‘Remote Access Trojan’ type of virus,” the agency said in a statement.

The RCMP filed the charges eight months after executing a search warrant at Revesz’ home, where they seized several hard drives containing Orcus RAT customer names, financial transactions, and other information.

“The evidence obtained shows that this virus has infected computers from around the world, making thousands of victims in multiple countries,” the RCMP said.

Revesz did not respond to requests for comment.

If Revesz’s customers are feeling the heat right now, they probably should be. Several former customers of his took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware.

“I got raided [and] within the first 5 minutes they mention Orcus to me,” complained one customer on Hackforums[.]net, the forum where Revesz principally advertised his software. That user pointed to a March 2019 media advisory released by the Australian Federal Police, who said they’d executed search warrants there as part of an investigation into RAT technology conducted in tandem with the RCMP.

According to Revesz himself, the arrests and searches related to Orcus have since expanded to individuals in the United States and Germany.

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

It’s remarkable how many denizens of various hacking forums persist in believing that an end-user licensing agreement (EULA) or “terms of service” (TOS) disavowing any responsibility for what customers do with the product somehow absolves sellers of RAT programs of any liability when they then turn around and actively assist customers in using the tools to infect systems with malware.