Hancock Health, a hospital based in Greenfield, Indiana, made the decision to pay a $55,000 ransom when it become victim of a ransomware attack. The attack, which was noted immediately by employees, took place last Thursday and encrypted more than 1,400 files on the system. However, the hospital is quick to reassure that patient data has not been compromised.
SamSam ransomware was revealed to be the culprit behind this attack, with the hackers, according to the hospital’s CEO, located in Eastern Europe. SamSam is known to target vulnerable servers, and once it has infected one machine, it spreads to others on the same network.
It is noted that employees did not play a role in allowing the ransomware to enter, as in no malware infected email was opened. Rather, the hackers gained access to the system using the hospitals’ remote-access portal, where they logged in using outside vendor’s credentials.
The employees noticed the infection soon after in occurred, but it was already too late to stop it from affecting the email system, electronic health records and internal operating systems.
Staff had to switch to pen and paper
Local media reported that 1,400 files were affected and all of them were renamed “I’m sorry”. The hospital was given 7 days to pay a ransom, if they did not comply, files would be permanently encrypted. The entire network was taken down by the IT staff, and employees were asked to keep computers turned off to avoid further spreading.
The hospital was able to operate following the attack, with staff having to switch to pen-and-paper to keep track of medical records. The staff had regular practices so it did not cause too many issues. Reportedly, equipment used for treatment and diagnosis was not affected, and patients were unlikely to notice anything going on.
Despite having backups, the hospital gave into the demands
The hospital received demands to pay 4 Bitcoin, which at that time were worth around $55,000. Despite having backup, the hospital ultimately decided to pay, and by Saturday morning, they were waiting for the attackers to keep their end of the deal. By Monday, all files have been recovered and systems were running.
The hospital admitted that backup was available, but it could have taken days or even weeks to recover everything. Ultimately, this led to the decision to pay.
“Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected,” the hospital said in a statement.
Many cybersecurity specialists and law enforcement agencies advise against paying the ransom, because not only is file recovery not guaranteed, the huge amounts of money paid only fuel the malware industry, encouraging more hackers to turn to ransomware. However, because many institutions are not prepared to deal with these kinds of attacks, they have no choice but to comply. Unfortunately, that only puts a target on their backs, because if they paid once, they are likely to pay again. Thus, the hospital, and any other institution that had paid a ransom, will have to strengthen their security, and possibly choose a different backup option.