Canadian Nurses Association says it has suffered a cybersecurity incident, but is not commenting on reports that the attack was ransomware.
“We can confirm we experienced an IT security incident on April 3, 2023, that affected some of our systems,” Alexandre Bourassa, the association’s head of public affairs, said in an email. IT World Canada, “The incident did not affect our operations.”
were answering questions about A tweet by Brett Calo on SundayBritish Columbia-based threat analyst for Emsisoft, who said the Snatch ransomware gang now lists CNA as a victim. Bourassa was informed about the tweets but did not directly answer whether the attack was ransomware.
The CNA represents 460,000 nurses across the country in all categories – registered, nurse practitioners, licensed and registered practical nurses, and registered psychiatric nurses. Provincial and territorial nurses unions represent members in negotiations with their respective governments.
According to researchers at Sophos, The Snatch malware reboots an infected Windows computer into Safe Mode, where most security software does not run. It then encrypts the victims’ hard drives. Sophos believes the snatch gang has been operating since 2018.
At the time of the 2019 Sophos report, the gang typically penetrated enterprise networks by automated brute-force attacks against vulnerable, exposed services such as Windows RDP (Remote Desktop Protocol). In one incident Sophos investigated, attackers initially gained access to a company’s internal network by brute-forceing the password of an administrator’s account on a Microsoft Azure server, then logged into the server using RDP.
Sophos found that the attackers installed the monitoring software on about 200 machines, or about five percent of the organization’s computers. After that, the attackers installed several malware executables, including one designed to give attackers remote access to machines without trusting the compromised Azure servers. The attackers also installed a free Windows utility called Advanced Port Scanner to find additional machines on the network that they could target.
According to a report in April By researchers at Gridisoft, Those behind Snatch, a Ukrainian anti-malware provider, usually don’t steal data before encrypting it.
In addition to disabling third-party antivirus software, the report says that Snatch ransomware also suspends Windows Defender in a well-known way – by editing group policies. To prevent any recovery attempts, it also removes Volume Shadow Copies and backups that were created with basic Windows functionality. This, the report notes, is a common ransomware tactic.
in response to IT World Canada, CAN’s Alexandre Bourassa said the association immediately launched an investigation and hired leading third-party experts to spearhead aid efforts. “As a precautionary measure,” he said, “we notified the appropriate law enforcement authorities. We are unable to provide further information while this investigation is ongoing.
“We are working closely with our industry-leading partners to implement advanced security measures to protect our systems and prevent this type of incident in the future.”