After being knocked offline for nearly two weeks, officials at a California hospital that was hit with ransomware elected on Wednesday to pay attackers.
The Hollywood Presbyterian Medical Center (HPMC) shut down computers on its network on Feb. 5, after attackers allegedly asked for 9,000 Bitcoin, or just over $3 million USD, to unlock medical files stored on its system.
While the hospital didn’t pay anything close to that figure, they did pay 40 Bitcoin, or roughly $17,000 USD on Monday this week, according to a notice published last night by the center.
HPMC president and CEO Allen Stefanek defended the hospital’s actions, saying it was the quickest way to solve their problem.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote, “In the best interest of restoring normal operations, we did this.”
While surprising, the move actually echoes sentiments made by Joseph Bonavolonta, Assistant Special Agent in Charge of the CYBER and Counterintelligence Program in the FBI’s Boston office, during a conference last fall.
“To be honest, we often advise people just to pay the ransom,” Bonavolonta told a crowd at the Cyber Security Summit in October.
That statement came just a few months after the agency first began warning users of ransomware–CryptoWall and CryptoLocker in particular. In that statement the FBI encourages users visit either the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (CERT) CryptoLocker webpage for help.
Paying the ransom is widely viewed as a bad practice. As experts have pointed out previously there’s no guarantee victims will receive their files back. On top of that the move incentivizes the attacker to create more ransomware.
Jornt van der Wiel, a security researcher with Kaspersky Lab’s Global Research and Analysis Team who presented at SAS rattled off a list on Thursday of potential outcomes that could result if a cybercriminal had a hospital wrapped around their finger.
“Engineers put a lot of effort into creating really useful medical technologies and can sometimes forget about protecting the medical computers. A hacker could get access to these devices and obtain all the information about patients, their personal data, treatment cases etc. Or even worse – they could try to interfere with these devices and reprogram them – and that could cause direct physical harm or an inaccurate diagnosis and things like that,” van der Wiel said.
Van der Wiel, who called the HPMC attack a “worrying trend,” was part of a Kaspersky Lab team who worked with the Netherlands’ National High Tech Crime Unit (NHTCU) last year to build a repository of available decryption keys and release a decryption app for victims of another form of ransomware, Coinvault.
Doctors and other administrators at HPMC apparently had to go analog in wake of the attack – a report in the Los Angeles Times claims that in lieu of computers hospital staff were forced to use pen and paper to keep notes on patients.
Stefanek insists the hospital’s systems are cleared of the malware and that he has no evidence that any patient of employee information was accessed. Additionally, while his letter neglects to mention it, both the FBI and the LAPD, who were first notified of the attack two weeks ago, are still looking into the incident.
A handful of senators have spoken out over the past few months urging the U.S. to do more to combat ransomware. Senators Ron Johnson (R-Wis) and Tom Carper (D-Del.) issued memos to the Justice and Homeland Security Departments in December encouraging movement on the issue. Later that month Ron Wyden (D-Ore.) wrote FBI Director James Comey to do more or less the same, but also asked for clarification on Bonavolonta’s statements on how victims should pay the criminals, and whether or not they were reflective of the FBI as a whole.
“The FBI should explore all legal options for stopping the successful use of ransomware,” he said in the letter. “Not only should these efforts focus on cyber criminals conducting encryption attacks, they should also target the ransom payments from victims to cyber criminals.”