(This story was updated on Feb. 18, 2016.)
A Southern California hospital's computers have been restored after it paid a $17,000 ransom in bitcoins to hackers who infiltrated and disabled its network. The gambit isn't new, but it appears to be on the rise.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Hollywood Presbyterian Medical Center CEO Allen Stefanek said in letter posted to the hospital's website late Wednesday. "In the best interest of restoring normal operations, we did this."
The FBI is investigating the attack, often called ransomware, where hackers encrypt a computer network's data to hold it "hostage," providing a digital decryption key to unlock it for a price.
Hospital officials had been fairly tight-lipped in the days since a Los Angeles NBC news affiliate broke the story last Thursday. That report, quoting unnamed hospital employees, said the ransom demand exceeded $3 million to be paid in bitcoin, a digital currency.
“The reports of the hospital paying 9,000 bitcoins or $3.4 million are false,” Stefanek said in the letter posted Wednesday.
Katherine Keefe, global focus group leader, breach response services, for London-based insurer Beazley, said the company has seen an uptick in ransomware attacks against its clients in the past six to eight months.
Healthcare organizations, along with small businesses and schools, make good targets for ransomware attacks because they don't typically have the sophisticated backup systems and other resilience measures that are typical at large corporations, said Lillian Ablon, a cybersecurity expert with the RAND Corp., a California think tank.
The smaller ransom amount in the Hollywood Presbyterian case is more in line with customary ransomware demands, according to security experts. The demands typically track with the nuisance value of not having to restore databases and computer systems.
The attacks often don't make headlines because the victims don't want to talk about them, said Nicholas Economidis, a Beazley underwriter. “If they pay or they don't pay, it's an embarrassing incident.”
Ransomware attacks are at least a decade old but have become increasingly sophisticated. They often begin with an e-mail attachment opened by an unwitting employee. The e-mail launches malicious code that crawls through the victim's computer system, encrypting and locking up data folders and the computer's operating system. The cybercriminals demand payment in return for providing the decryption key.
“A lot of this is a crime of opportunity,” said Austin Berglas, senior managing director at at K2 Intelligence and head of the firm's U.S. cyber investigations and incident response practice. Berglas previously headed the FBI's cyber branch in New York and led the team that broke up the Silk Road and Silk Road 2.0 “dark web” forums, where drug deals, hacking services and even murder-for-hire schemes were transacted.
“You buy or steal a large e-mail list and spam those folks,” hoping some unwitting recipient opens one and launches the encrypting malware, Berglas said. Specific recipients–such as systems administrators—might also be targeted in a technique known as spear phishing, he said.
With any kidnapping and ransom situation, the criminal becomes vulnerable when trying to get paid. Bitcoin, however, provides criminals with a potential window of opportunity to escape and limits law enforcement's tools to trace and capture them.
“Fortunately, in my experience with the FBI, a lot of these criminals will make mistakes along the way,” Berglas said.
Security experts have been warning about an uptick in ransomware attacks, said Hussein Syed, chief information security officer at Barnabas Health. “Unfortunately, it's the next big thing everywhere,” not just in healthcare, Syed said. “But the importance of systems in healthcare is so immense, it's patient-care issues, in some cases it s a matter of life and death to keep the systems running.”
New security-enhancing technologies are arriving every day, Syed said.
One approach is software that scans every incoming e-mail that looks to see if the sender has ever communicated with anyone in the organization before, said Dominic Hart, manager of information security architecture for Barnabas Health. Suspicious e-mails are routed into a “sandbox” separate from hospital's main computer systems and the messages and any attachments are “detonated”— that is, opened up and inspected for malware.
“There will be some time delay before the user receives the e-mail,” Hart said. “But if you talk about the choice between a five-minute delay and having a whole hospital go down, that five minutes becomes moot.”