A virtual standoff had been taking place in Los Angeles at the Hollywood Presbyterian Medical Center, and it’s a “ransom” situation few knew about. According to the Head of Malware Intelligence at Malwarebytes, Adam Kujawa, the hospital ended up paying 40 bitcoins ($17,000) to appease the hackers. “Unfortunately, a lot of companies don’t tell anybody if they have fallen victim to ransomware and especially if they have paid the criminals. I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.”
Hackers know this, too, so it’s a pretty sweet position for a criminal to put themselves in. Victims, like this hospital, know that asking for help also means that the fact they were breached will be made public. That might make them look unprofessional and not trustworthy—particularly in instances where medical records may be involved. Is it a bigger loss to pay 40 bitcoins or refuse to pay and risk letting your colleagues, clients, employees, and others know about it? Many victims take the financial loss rather than risk lawsuits and their reputation.
Standing Your Ground
Traditionally, experts recommend not paying a ransom. However, Kujawa notes that there are some circumstances where even law enforcement says it’s a good idea. Thus far, the FBI has confirmed that they are investigating a ransomware situation at the hospital, but have released no further details. This isn’t a rare situation. In 2013, ransomware attacks rose at a staggering rate each month, starting with about 100,000 at the beginning of the year and ending with 600,000 by December (as reported by Symantec).
McAfee Labs has also chimed in after studying Intel Corp.’s own ransomware data. They suggest that ransomware will really skyrocket in 2016 solely because of new and better technology. They estimate that about three percent of victims will pay a ransom rather than taking another route. The LA hospital incident was first pinpointed on February 5 according to the CEO, Allen Stefanek. The ransom lasted ten days before payment was made and all was restored. However, the hospital has kept quiet on whether any outside agency encouraged them to pay the ransom or not.
Quick and Dirty
Stefanek said in a statement that “the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.” That may very well be true. Still, nobody has a clue about who launched the attack and police have not said if there are any suspects. Bitcoins by design are difficult to trace, and preferred by many hackers. Fortunately, no patient care was impacted by the attack and there’s no suggestion that personal data was collected.
It’s also not revealed whether this attack was easily preventable or not, such as by regularly changing passwords or upgrading to a dedicated host or a virtual private server (VPS) host instead of a basic shared plan.