It sounds like the plot of a Hollywood thriller, but the all-too-real scenario played out this month at a large Los Angeles hospital: Hackers seized control of critical computer systems and the hospital paid a $17,000 ransom to release them.
Source: NY Times
So-called ransomware attacks have increased significantly in the past year, security experts say, and the hospital, Hollywood Presbyterian Medical Center, is not the first to fall victim.
The Titus Regional Medical Center, a small hospital in Mount Pleasant, Tex., experienced a similar attack last month, which knocked its core electronic medical record system offline. It, too, paid the ransom, according to Shannon Norfleet, a hospital spokeswoman.
Those in the security industry say such attacks are becoming more prevalent, but are rarely made public.
“We get over 100 calls and emails a month from different organizations that have had some form of ransomware impact their environment,” said Charles Carmakal, who oversees breach investigations for clients of Mandiant, a consulting unit of the security firm FireEye. “Nobody talks to the media about it.”
In a statement released Wednesday, Allen Stefanek, the president of Hollywood Presbyterian, described the two-week battle that his hospital fought to regain control of its data after a malware attack was detected on Feb. 5.
The attack did not disrupt medical care or compromise the personal information of employees or patients, he said. Instead, it blocked hospital employees from using email and other forms of electronic communication by using encryption to lock them out of the system.
Mr. Stefanek said hospital administrators were told that if they wanted to gain access to their network again, they would have to pay the attackers, who would then give them the decryption key. Mr. Stefanek said that the hospital had contacted the authorities when the malware attack was first detected.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Mr. Stefanek said. “In the best interest of restoring normal operations, we did this.”
Health care providers are required to tell patients of any breaches that compromise their personal information or health data, but a typical ransomware attack would not fall into that category. The attackers do not need to gain access to the underlying data in order to encrypt it and prevent others from viewing it.
Once compromised, an organization has little choice but to pay up or say farewell to its data, according to Levi Gundert, who oversees information security strategy for Recorded Future, a threat analysis firm.
“There’s really no workarounds for it,” he said. “It’s very frustrating for both law enforcement and the victims themselves.”
Hollywood Presbyterian’s attackers demanded their payment in the
form of 40 Bitcoins, a difficult-to-trace currency that has become the currency of choice for online criminals.
Ransomware attacks are on the rise, industry researchers say, because they work. A research team at Dell gathered data from one ransom-payment server and found that it collected $1.1 million in a six-month period. McAfee Labs, Intel’s security research unit, detected 638,000 new ransomware variants in 2014. Last year, that number shot up to nearly 3.8 million.
Many ransomware attacks are random, and comparatively low-tech and blunt. Victims are most often infected by clicking a malicious link in an email or by malware delivered through a web browser, frequently hidden in advertisements. The average payment demanded is just $300, according to the security firm Symantec, a sum that is within reach for the individuals and small businesses that most often fall prey to these schemes.
But Mr. Carmakal said he was seeing a growing number of attackers targeting businesses and other organizations with deeper pockets. In those attacks, the hackers may go to greater lengths to remove data — not just lock access to it — and threaten to release it publicly if they are not paid.
“Automated malware doesn’t know if an organization has $100,000 or not. A human knows,” he said. “We’ve seen an uptick in those kinds of attacks over the past year. We’ve seen attackers ask for $10,000 to seven-figure values to delete the data” in their possession.
As ransomware attacks grow more frequent, they are increasingly hitting organizations that deal in public safety and other critical functions. Over the past year, the attacks have affected police departments and school districts across the country.
Health care organizations seem to be particularly vulnerable to hacking attacks because they have been slower to embrace sophisticated backup systems and other security measures than other industries, like financial services, said Katherine Keefe, the head of breach response services at Beazley, an insurance company.
Her team investigated 1,200 breaches last year, about half of them at health care providers. The rate of ransomware attacks has noticeably increased in the last six to eight months, she said.
“The criminals see that there’s money to be made, and I think they believe they can hold organizations over a barrel,” Ms. Keefe said.
The cost of an attack goes far beyond the usually modest sum demanded for ransom. It took Hollywood Presbyterian 10 days to restore its systems, Mr. Stefanek said.
Laura Eimiller, a spokeswoman for the Federal Bureau of Investigation in Los Angeles, said the agency had begun an inquiry into the attack, but she provided no further details.