The ‘Humber River Hospital’ in Toronto, Canada, has announced the implementation of “Code Grey,” which is a response plan meant to help the institute cope with an ongoing crisis. In this case, the crisis concerns a ransomware attack, and unfortunately, “Code Grey” also means the loss of essential services. As such, the hospital has canceled a variety of clinics, posted signs to inform visitors of the fact. The surgeries will continue as planned for the time being, but those who needed emergency care will go through an ambulance redirect to other clinics.
This is a major acute care hospital that has 722 beds, hospitalizes 30,000 people annually, and also receives 135,000 emergency visits yearly. That is almost 370 people seeking emergency care each day, so these cases will now have to be rerouted elsewhere, potentially risking their lives in the process. This is very sad - and yet another example of the complete lack of ethics in the ransomware space.
As the announcement explains, the attack unfolded on June 14, 2021, one day after the systems were patched and all the latest available updated had been applied. This means the malware used for the attack used a zero-day flaw, but no more details in that regard are given. The hospital’s IT team shut down all IT systems, including patient health records - and while a few files had been corrupted, the vast majority of the data remained untouched.
The hospital emphasizes that no confidential information was accessed by the actors, but we will have to wait for a while and see about that. The fact that some files were corrupted means the encryption process had been initiated at the time of the intervention. Typically, ransomware actors enter this step after exfiltrating everything they need for the next phase - the extortion.
The hospital hasn’t clarified which group is responsible for this, and we have checked on the Tor portals of the most notorious groups, and for now, we can see nothing relevant to Humber River. Usually, actors post new victims after some time has passed and the deadline to resolve the incident between the two parties has been reached.
Humber River says all of its 5,000 computers (800 of which are servers) will be manually restarted and updated with a patch developed and provided by Symantec. This is estimated to take approximately 48 hours, so Code Grey will remain in place until at least tomorrow.