An Indiana hospital paid a ransom of $55,000 to get rid of ransomware that had infected its systems and was hindering operations last week.
The infection took root last week, on Thursday, January 11, when attackers breached the network of Hancock Health, a regional hospital in the city of Greenfield, Indiana.
Files renamed to "I'm sorry"
Attackers deployed the SamSam ransomware, which encrypted files and renamed them with the phrase "I’m sorry", according to a local newspaper who broke the news last week.
Hospital operations were affected right away. IT staff intervened and took down the entire network, asking employees to shut down all computers to avoid the ransomware from spreading to other PCs.
By Friday, the next day, the hospital was littered with posters asking employees to shut down any computer until the incident was resolved.
While some news sites reported that the hospital shut down operations, medical and management staff continued their work, but with pen and paper instead of computers. Patients continued to receive care at the hospital's premise.
Hospital had backups but decides to pay ransom demand
The hospital said that despite having backups it opted to pay the ransom demand of 4 Bitcoin, which was worth around $55,000 at the time the hospital paid the sum, on Saturday morning.
Hospital management told local press that restoring from backups was not a solution as it would have taken days and maybe even weeks to have all systems up and running. Hence, they decided paying the ransom was quicker.
By Monday, all systems were up and running, and the hospital released a short statement on its site admitting to the incident, but with very few other details.
SamSam ransomware spread via RDP attacks in the past
SamSam, the ransomware used in this incident, first appeared two years back and was used in targeted attacks only. The SamSam crew usually scans the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the company to either pay the ransom demand or boot them off their network.
While the hospital has not confirmed the typical SamSam attack scenario, they did say the infection was not the case of an employee opening a malware-infected email.
The FBI has long asked companies and individuals affected by ransomware to report any infections via the IC3 portal so the Bureau can get a better grasp of the threat and have the legal reasons to go after such groups.
Image credits: Tom Russo / Greenfield Daily Reporter
Comments
Pointless_noise - 6 years ago
I can't believe this is the option they took. The more often people pay the more this will happen and with a disclosure like this the hospital has just painted a target on its back (along with similar facilities in the area). Their I.T. team/providers better be on their A game for the next few years because if I was a crook I would already be looking for a way back in.
Occasional - 6 years ago
Agreed. Also, the directors should be reviewing what they've spent on IT security already. As inadequate as it has proved to be (or how can their in-place recovery plan be the less acceptable option), it must have cost them something!
Re: "...already be looking for a way back in." - there's a good chance it's still there, sleeping.
BeckoningChasm - 6 years ago
If their backup-restore system is going to take weeks to restore the data, that suggests they need a new backup-restore system.