An Alabama hospital system has paid its attackers in a ransomware attack that knocked its systems offline on Oct. 1.
Officials at the DCH Health System didn’t say how much the hospitals paid for the decryption key, but noted that they have started a “methodical” process of system restoration.
“We have been using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems,” according to a website notice.
The system consists of a trio of hospitals: DCH Regional Medical Center, Northport Medical Center and Fayette Medical Center. As Threatpost previously reported, DCH administrators said that in the wake of the attack, medical staff have shifted operations into manual mode and are using paper copies in place of digital records. Also, new patients are being turned away.
The process will take a while, with the hospitals having a sequential plan in place to decrypt, test and bring the network’s thousands of systems online one-by-one, starting with primary operating systems and essential functions for emergency care. Meanwhile, many hospital services remain offline.
“Although the attack has impacted DCH’s ability to accept new patients, we are still able to provide critical medical services to those who need it,” DCH said. “Patients who have non-emergency medical needs are encouraged to seek assistance from other providers while DCH works to restore our systems.”
The hospitals said they are working with law enforcement and outside IT security and forensics experts to address the incident. DCH did not return an inquiry from Threatpost on how the attack started.
To Pay or Not to Pay
Paying the ransom is generally not encouraged, as the FBI notes in its ransomware guidance. However, in an updated ransomware alert issued last week, the Bureau did acknowledge that there are some scenarios where it might make sense for the victim to pay up.
The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals,” it said in its notice. “However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers.”
Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost that the decision to pay is not to be made lightly.
“There’s no doubt that paying ransom ultimately increases the frequency of ransomware attacks,” he said. “Successful ransomware payments are the equivalent of market success for the attacker. On the individual level, it makes business sense to pay the ransom, and it makes business sense for the attacker to follow through on the decryption process. At the macro-level, individuals paying ransom increases the frequency of ransomware attacks. If we’re going to change this pattern, we have to change this equation somehow.”
He added that cyberinsurance also plays into this dynamic.
“If there’s a benefit to the pattern of insurance paying ransom, it’s that it might drive more attention to preventive controls,” Erlin told Threatpost. “An insurer might calculate that paying the ransom is cheaper than not, but they’re also likely to figure out that the least expensive option is to avoid becoming a victim in the first place.”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.