US hospital pays $55,000 to hackers after ransomware attack

Hancock Health paid up despite having backups available.
Written by Charlie Osborne, Contributing Writer

Video: Why rising Bitcoin prices are not all good news for ransomware writers

Hancock Health has paid hackers $55,000 to unlock systems following a ransomware infection.

The hospital, based in Greenfield, Ind., revealed that a successful ransomware attack on Thursday held the hospital's IT systems hostage, demanding a ransom payment in Bitcoin (BTC) in return for a decryption key.

The cyberattackers requested the payment of four Bitcoins, worth approximately $55,000 at the time.

Hancock Health's chief strategy officer Rob Matt said in a statement that the attack took place at roughly 9:30 p.m., and while employees noticed the presence of malware immediately, it was too late to prevent the infection spreading to the hospital's email system, electronic health records, and internal operating systems.

According to local media, the threat actors behind the attack targeted over 1,400 files and renamed them to "I'm sorry" as part of the attack.

The hackers, which Hancock Health CEO Steve Long believes are located in Eastern Europe, gained access to hospital systems by logging in with a third-party vendor's credentials into the Hancock Hospital remote access portal.

Systems were then infected with SamSam ransomware. This particular type of malware targets vulnerable servers and after being installed on one machine propagates and spreads to others in the same network.

Known for use in targeted rather than opportunistic attacks, SamSam can be used in web shell deployment, batch script usage for running the malware on multiple machines, remote access, and tunneling. The scale of infection decides on the ransom demanded.

The hospital was given seven days to pay up on the pain of the files becoming permanently encrypted and inaccessible.

The hospital was still able to operate on the day and Friday by switching to pen-and-paper methods but later chose to pay the ransom -- despite backups being available.

Long said that while the backups could have been used to recover infected systems and the files encrypted by the ransomware, it may have taken "days, maybe even weeks," to restore order.

Such an endeavor would have also been expensive, and so the executive told The Reporter that "from a business standpoint, paying a small ransom made more sense."

When a business pays such demands, they are not only further funding ransomware operations but are also taking a risk. The promised decryption keys may not materialize or work, leaving victims both out-of-pocket and without access to their files.

However, in this case, the hackers handed over working decryption keys once they received their blackmail payment. By Monday, life was back to normal.

"These folks have an interesting business model. They make it just easy enough," Long said. "They price it right."

Read also: Ransomware: An executive guide to one of the biggest menaces on the web

"Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected," Hancock Hospital said in a statement.

Patient information does not appear to have been compromised and both the FBI and an unnamed third-party cybersecurity firm are investigating the incident.

Top tips to stay safe on public Wi-Fi networks

Related stories

Editorial standards