Indiana hospital pays $55,000 after ransomware attack

Hancock Health, based in Greenfield, Indiana, has confirmed that it paid $55,000 in bitcoin after suffering a ransomware attack in January.

Staff at the hospital reported that its computers slowed down on the night of Thursday, January 11, and a short time later the screens were locked and displayed a ransom note.

The hospital said it updated medical records by pen and paper – something it practices regularly – and as such experienced few administrative problems.

Hancock Health CEO Steve Long believes the criminal hackers breached the hospital’s systems by logging in with a third-party vendor’s credentials. The attack affected the hospital’s email system, electronic health records, and internal operating systems. According to local media, the attacks targeted more than 1,400 files and renamed them “I’m sorry.”

The trouble with ransoms

There’s always a high level of risk when paying ransoms, because there’s no guarantee that the criminals will keep their word and provide the necessary decryption keys. There is also the ethical issue: paying criminals funds future attacks and encourages them to be more ambitious.

Hancock Health’s decision to pay the ransom will no doubt frustrate cybersecurity experts, who almost always advise against meeting criminals’ demands. The hospital was in as good a position as possible to ignore the ransom – it even had access to backups – but decided to pay up anyway.

It’s not just management who are ignoring cybersecurity experts’ advice, it’s some of the most influential people in the country: TV writers. Steve Long said he watched last year’s midseason finale of Grey’s Anatomy after Hancock Health was attacked. The episode, which only occasionally flirts with realism, features a ransomware attack at Grey Sloan Memorial Hospital. After demanding a $20 million ransom and sending the hospital into chaos, the hospital’s staff vow to pay off the criminal.

Targeting hospitals

The ransomware behind the attack at Hancock Health was reportedly SamSam, which is known for targeted rather than opportunistic attacks. ZDNet says that it can be used in “web shell deployment, batch script usage for running the malware over multiple machines, remote access, and tunnelling.”

Commenting on the attack, Gary Cox, technology director for Western Europe at Infoblox, told SC Media: “The healthcare industry has become a prime target for cyber-criminals. Not only is the sensitive information held by healthcare organisations immensely valuable on the dark web, fuelling healthcare fraud in the US, but cyber-criminals are increasingly seeing the value of the ransom over resale e-crime model, due to the immense pressure that hospitals are under to avoid any disruption.”

Cox praised hospitals that had a plan in place for ransomware attacks, but said: “[A]s all good healthcare professionals know, prevention is better than treatment. All organisations must ensure that their security measures are up to scratch: from having all software patched and up to date and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware.”

Raj Samani, chief scientist and fellow at McAfee, added: “[T]he cyber-security industry needs to make threat intelligence sharing an absolute priority. Traditionally many companies see their intelligence as a way of gaining a competitive advantage, however as the amount of disruption continues to increase, 2018 needs to be the year where intelligence sharing after a successful attack becomes the norm.”

Find out more about ransomware

No matter what industry you’re in, it’s important to be able to spot a ransomware attack and respond appropriately. Our ransomware infographic provides a solid introduction, explaining what it is, how it works, what happens when your system is infected, and how you can stop it.