Newscasters seemed rattled by the news last week that Hollywood Presbyterian Medical Center paid hackers $17,000 in Bitcoin to regain access to a key system.
This is no surprise for security insiders. Ransomware for enterprises is a top trending threat. In fact, the center’s ransom pales in comparison to the $123,000 in Bitcoin demanded from a New Jersey school district in 2015; the district decided instead to rebuild systems from backups.
Security analysts say that anywhere from 3 to 40 percent of ransomware victims pay up. The FBI, the agency responsible for investigating ransomware, has no way to help. Instead, the FBI recommends paying the ransom if the victim has no unaffected backup from which to restore files. Several police departments have paid ransoms.
How did the medical center network become infected? The center has said it was not specifically targeted. It is likely that an insider such as an employee or contractor mistook an email from the attacker as legitimate communication and opened a malicious attachment or website. This phishing email may have been one of more than a million sent by the attackers behind new ransomware that security company Proofpoint reported last week.
Here is what typically happens: an attacker gets a piece of malware onto a device or system through a phishing scam and encrypts or locks files. On networks, malware can attempt to move laterally to encrypt more devices and systems. In the case of the medical center, attackers encrypted the mission-critical Electronic Medical Record system. When encryption is complete, a user sees an onscreen message that demands that the victim pay a ransom in order to decrypt or unlock the files. The machine and systems can’t be used until decrypted. The victim typically has to convert local currency into an electronic currency such as Bitcoin. When the ransom is paid, the attacker sends the victim an encryption key, which is a series of alphanumeric characters that the victim types on the locked device or system to decrypt the files and restore access.
From February 5 to 15, 2016, staff were unable to access the center’s Electronic Medical Record system, which contains the medical and treatment history of patients. The center issued a letter from Allen Stefanek, center President and CEO, which said that “this incident did not affect the delivery and quality of the excellent patient care.” However, it is hard to imagine that care at the 400-bed hospital didn’t suffer when caregivers couldn’t access prescription history, lab results, or imaging studies. Communication, possibly including email, was also affected.
The center paid the ransom because “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek’s letter said. Because ransomware often threatens to destroy encrypted assets if the ransom isn’t paid within a certain timeframe (often 72 hours for individual computers), the hospital may have been under pressure due to a pending deadline.
We recommend several best practices to help enterprises prevent and contain the spread of ransomware:
- Educate employees, contractors, and other insiders about the dangers of phishing emails with security training and monthly reminders
- Ensure that backups are managed in a way that prevents encryption (Ransomware will often encrypt online backups)
- Segment the network in ways that prevent lateral movement which limits the volume of assets that can be ransomed
- When considering new enterprise technologies, consider security to be an equal consideration with business functionality
- Hire vendor implementation teams with security expertise
- Hire IT staff with deep security knowledge in as many roles as possible
What can you do now to ensure your network is not exposing vulnerabilities? We offer free security assessments, and the results will help you identify exactly where you need to focus. Learn more about the free Security and Threat Prevention assessment here and contact us today to schedule the assessment.