Cyber Incident Victim: Norfolk General Hospital

On or around March 21, 2016, the website of Norfolk General Hospital in Ontario, Canada, was compromised to distribute ransomware to visitors. The hospital’s web portal, powered by an outdated Joomla content management system (version 2.5.6, compared to the then-current 3.4.8), contained vulnerabilities enabling attackers to inject malicious code directly into the site’s source code. Security researchers at Malwarebytes discovered the compromise after their honeypots visiting the site were infected with ransomware via the Angler exploit kit. Analysis of network traffic confirmed the malicious injection triggered the exploit kit, which delivered TeslaCrypt ransomware. The attack employed conditional logic, ensuring the malicious payload was served only once per IP address—returning visitors, including site administrators, saw a clean version of the site, while first-time visitors received the exploit.

The ransomware encrypted victims’ personal files and demanded a $500 ransom, doubling to $1,000 after one week. The compromised website primarily risked infecting staff, patients, and families likely to visit the hospital’s online portal. Malwarebytes notified Norfolk General’s IT team, providing evidence including screenshots, network packet captures, and the ransomware payload obtained during lab replication. The hospital confirmed collaborating with its hosting provider to upgrade the Joomla installation. The incident highlighted broader ransomware trends in Canada, where Malwarebytes detected over 10,000 ransomware instances affecting Canadian users in the first three months of 2016. No additional details regarding data loss, operational disruptions, or ransom payments by the hospital or its visitors were disclosed in the available source material.