Ransomware on rampage across myriad sectors of Japan

The Yomiuri Shimbun
Staff at Handa Hospital in Tsurugi, Tokushima Prefecture, keep records by hand on Nov. 26 because the municipal hospital is unable to access electronic medical records after a ransomware attack.

In the predawn hours of Halloween, an eerie event occurred at the Tsurugi municipal Handa Hospital in Tokushima Prefecture.

Dozens of printers suddenly began operating and A4-size sheets of paper filled with English text were printed continuously, until the machines ran out of paper.

A nurse picked up a sheet of paper that said data had been stolen and encrypted, and that unless a ransom was paid, the data would be disseminated to the public.

The hospital had been hit by ransomware, a currently rampant form of malware that demands ransom from victims in return for regaining access to data.

The staff of the 120-bed hospital found they could not view the electronic medical records of about 85,000 patients. As soon as day broke, the hospital called the Tokushima prefectural police. It also informed neighboring hospitals that it would suspend the acceptance of ambulances and set up a response center to handle the matter.

From Nov. 1, the hospital stopped accepting new patients.

Today, the hospital staff is still keeping medical records by hand.

“I did not expect cyber-attacks would cause such damage,” a senior hospital official said. “It’s just like a disaster.”

The hospital is having its computer system remade at a cost of about ¥200 million, rather than responding to the ransom demand.

From Jan. 4, the hospital aims to resume the acceptance of new patients.

Insufficient security

Many types of ransomware started to emerge overseas about a decade ago and attacks have been confirmed in Japan since around 2015.

These cyber-attacks have not only targeted important infrastructure such as hospitals, but even shops in regional areas.

While victims should not respond to ransom demands in principle, some businesses said that they had paid the ransom.

“I wanted to get my important files back,” said a man in his 40s who operates a fish shop in Hokkaido. “I was desperate.”

According to the man, he opened an email attachment on his computer in August 2017. Suddenly, all the files stored on the computer were encrypted. English texts displayed on the screen demanded the man pay bitcoins worth about ¥300,000 in return for a decryption key.

His fish shop is popular, visited by 700 people a day, and the computer stored ledgers from the past 15 years. If he couldn’t retrieve the data, he would have had no idea what and how much he had sold. So he decided to pay the ransom, opening a bitcoin account.

Ten days after the attack, he transferred bitcoins in the amount requested to an account designated by the attacker. The next day, he received an email containing a 16-digit password. He entered the password and about 80% of the files were recovered.

“I had been lax with security measures,” he said with regret.

Double extortion

This past autumn, a site operated by an international cybercrime group displayed messages counting down the time to the public release of stolen data.

The contents of the data were hinted at and some apparently belonged to Japanese companies, according to the names specified.

“If our customers’ information is disclosed, we’ll be in big trouble,” an official of a company named by the site said to The Yomiuri Shimbun.

In addition to the traditional attacks of encrypting data and demanding a ransom in return for a decryption key, most attackers now make use of this double extortion tactic by threatening to release stolen data.

Ransomware attacks have also become more sophisticated. Originally, spam was used as a way to enter computer systems, but recently, attacks targeting specific companies and organizations have become more prevalent.

According to cybersecurity company Trend Micro Inc., 96 ransomware infection cases were reported by Japanese corporations in the 12 months through September 2021, up by 25 cases from the previous 12-month period.

Many companies and organizations, however, are believed to have not reported such attacks to police or other authorities because they are concerned about reputational damage.

The increase in teleworking also has had an impact.

Yuu Arai, a security expert at NTT Data Corp., pointed out that virtual private networks are now used more frequently to access a company network from home and there are many ransomware attacks targeting VPNs.

“It is important to introduce not only user IDs and passwords for VPNs,” he said, “but also two-factor authentication such as one-time passwords.”