Hackers Demand $3.6M To Restore Hospital Computers

John Lister's picture

A California hospital has been unable to use its computer system for more than a week thanks to a ransomware attack. The hackers are said to be demanding more than $3 million in return for returning access.

The Hollywood Presbytarian Medical Center has confirmed the attack but is keeping many of the details quiet. Local news outlets say it doesn't appear any personal data has been compromised and no patients have been put at medical risk.

However, the attack has been highly disruptive. Staff are having to register new patients and update medical records on paper. Some patients and family members say either they've had to visit the hospital in person to get test results that would normally be emailed, or that the results are completely unavailable. (Source: nbclosangeles.com)

Scan Results Among Affected Data

In some cases, medical equipment is working but of limited use; for example, staff are unable to transfer the image from CT scans. The hospital's CEO has confirmed this has necessitated redirecting some patients to other facilities, with the emergency room situation "sporadically impacted." (Source: csoonline.com)

It appears the hackers have managed to use encryption to prevent staff from accessing files and have issued a financial demand to remove the encryption. Though there's no official confirmation of the figure, rumor among both medical staff and the local computer security community puts it at around $3.6 million.

Attack May Not Have Been Targeted

The actual demand is said to be for 9,000 units of the virtual currency Bitcoin. If such a payment were made, it would likely be much harder to trace the recipients than with a traditional US dollar payment.

It's unclear if the hackers deliberately targeted the hospital or merely got lucky by a staff member mistakenly opening an infected file attachment or opening a link to a website that allowed the malware to get on to the system. The size of the demand suggests the hackers are well aware of the size of the organization they've infected.

Hospital officials say they are working with both local police and the FBI to help track down the attackers. There's been no word about whether management is considering paying the ransom.

What's Your Opinion?

Should the hospital pay the ransom? Is this an argument for greater security in major organizations? How severe should criminal penalties be for people who engage in such attacks, particularly when they involve health care facilities?

Rate this article: 
Average: 5 (6 votes)

Comments

Dennis Faas's picture

It sure sounds to me like whoever was in charge of administering the computers wasn't doing their job - there should have been offsite backups of the systems in case something like this happened, which would have reversed the damage. That said, $3.6 million is an awful lot of money. They could probably spend a fraction of that and find a way to brute-force crack the encryption passwords using Amazon ECS cloud computers, for example. I certainly would not pay the ransom as there is no way to know if it will happen again in the future.

stooobeee's picture

Not only would you not know if it would happen again, but you would not know if they would honor the ransom promise. Why should they? Hospital technology should have prepared itself for the worst.

dan_2160's picture

The ransom amount was $17,000 in virtually untraceable bitcoins which the hospital paid. Somehow one media outlet reported the $3.6 million and everybody else just repeated the false figure. And that's the sorry state of journalism today -- especially online "journalism" -- where falsehoods like this are repeated endlessly with nobody bothering to actually dig for the facts.

Details at:
http://www.bbc.com/news/technology-35602527
http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

guitardogg's picture

Never, ever pay the ransom! I hope they track down the scum and bring them to justice!

jcgrande's picture

You are right Dennis, their IT Dept. failed them in many ways. In addition to off site back up, they should have off site images ready to load onto spare computers. In our hospital we enough new and used unimaged computers to bring into key areas to keep vital services running. We may limp for a while but all essential systems would be up and running within a few hours. Also NEVER pay and hunt down and prosecute to the full extent of the law.

Doccus's picture

.. Serriously.. to call these monsters "hackers" is a slight on anyone who has ever fooled around with bits of code..

kevinb478's picture

like all you other people commented on here and what Dennis said and everyone else I'm not a computer wiz like Dennis but still in my opinon I would have thought that the hospital would've had some sort of software installed that possibly dectected the malware or whatever it was that got into the system and possibly blocked it before it got installed even if they had opened a email or whatever or maybe had a scanning software to check it to see if it was infected before opening the message or what ever it was but anyway still some computer expert should be able to access the hospitals system and find the problem and repair it before it got any worse so far they said it didn't affect any patient information if I had read it right but who knows that it's possible that it possibly could access patient info and maybe other things but it's a win/lose situation if they pay the ransom they may not disable it then again if they do pay who knows if they may not like stooobeee said they may not disable it and it could get worse like patience info and credit card info of customers data that have paid their bill or insurance and yes I think that they should have backed everything up at the end of each day on another system

tony.hoad_6451's picture

Hi Dennis - been getting your site for years and learnt a great deal, much appreciated - thanks for sharing

Sorry to disagree with you about brute force cracks for ransom ware - most ransom ware hacks use RSA-2048 key (AES CBC 256-bit encryption algorithm). While today's encryption algorithms can be broken, their security derives from the impractical length of time it can take to do so using the fastest computers available now..

"Assuming that enough computing power was amassed to test 1 trillion keys per second, testing all possible keys would take 10.79 quintillion years. This is about 785 million times the age of the visible universe (13.75 billion years). On the other hand, you might get lucky in the first 10 minutes." - Lamont Wood
http://www.computerworld.com/article/2550008/security0/the-clock-is-ticking-for-encryption.html

A brute force attack is technically feasible, but completely impractible. Even quantum computers, when they arrive, would take enormous amounts of time to generate every key to find one that worked.

I agree - the IT folk are clearly not up to their job. It is trivial, even on a large network to set up a backup routine using disk images which are kept offline, refreshed regularly and available in the event described - you can be back to normal within a few hours. I believe that some commercially available anti-virus programs can intercept and kill viruses like cryptolocker in real time before thay cause any damage, but I haven't tested that yet.
cheers, and thanks again - If I am mistaken about my post I would be glad to be corrected

INXS9000RPM's picture

I take the view that such threats of ransom are Wake-up Calls for the affected industry. Seeing that our Attorney Generals never seem to inflict any "Pain" upon so many executives of previously hacked company systems, a good dose of Financial Extortion gets everyone's attention, including the Board of Directors'.

Unfortunately, this ransom will probably be paid by their Insurance company, rather than by fines of the CEO and CFO who signed-off the Financials [reviewed by their external auditors]. Such sign-off implicitly asserts [to the Public financials] the effectiveness of their computer security.

The mismanagement derives from these executive's naive reluctance to pay for a professional (external) security audit. Instead, in many, many cases, the executives gamble by relying on their internal Security Audit team's assurances. Sometimes I wonder whether the executives and also being badly counseled by their Legal Beagles; i.e. to confidently rely on their Internal Audit reports. I can imagine these lawyers, as a means of absolving the executives of any culpability, asserting that the company meets all legal requirements when relying on Internal Self-Audits.

It's strange how one never reads about Corporate Counsel being sanctioned in the media or in Courts. Maybe the Executive Counsel should also be personally fined to recoup such losses by non-destructive Ransom attacks.