Posted on 02/19/2016 9:44:19 PM PST by iowamark
Hollywood Presbyterian Medical Center on Wednesday announced that it paid approximately US$17,000 to resume normal operations after digital extortionists knocked its computer systems offline.
The Los Angeles hospital discovered its computer network infected with ransomware earlier this month. Ransomware is a form of malware that scrambles data and key files on a system and demands a ransom be paid for a digital key to unscramble the data.
After paying a ransom of 40 bitcoins, or $17,000, to the extortionists, the hospital was able to bring its electronic medical record system online, HPMC said. Bitcoins are a digital currency favored by cybercriminals because, like cash, they're difficult to trace.
"It is important to note that this incident did not affect the delivery and quality of the excellent patient care you expect and receive from Hollywood Presbyterian Medical Center. Patient care has not been compromised in any way," HPMC CEO Allen Stefanek noted.
"Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access," he continued.
Initial reports about the incident pegged the ransom at $3.4 million, or 9,000 bitcoins. Those reports were false, HPMC noted.
No Honorable Thieves
Paying ransom might embolden the perpetrators of ransomware, according to Rick Orloff, CSO of Code42.
"It's analogous to why the government doesn't negotiate with hostage takers. It encourages hostage-taking," he told TechNewsWorld.
If a ransom is paid, it should be done with caution, observed Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society.
"In the best-case scenario, you will get the decryption key," she told TechNewsWorld.
"You'll be up and running and back to normal, but even if that does happen, you really should have some forensics and malware experts in there to make sure that there isn't any other malware on your systems," Kim continued.
"Don't trust criminals to do the honorable thing and not drop additional malware," she said. To Pay or Not to Pay
Ryan Kalember, senior vice president of cybersecurity strategy for Proofpoint, strongly opposed paying ransoms.
"Even if the attackers keep their word and decrypt your data, there is no guarantee that they will not leave other forms of malware running on the system in order to carry out other crimes, like sending spam emails, launching DDoS attacks, and stealing personal or financial data for use in online fraud and identity theft," he told TechNewsWorld.
"Paying cybercriminals often funnels money to organized crime and terror groups and should be avoided as a rule to not perpetuate the cybercrime cycle," Kalember said.
However, whether to pay ransom isn't a black-and-white proposition, said Scott Gainey, senior vice president for SentinelOne.
"It's not a yes or no answer. It depends on the systems that were affected," he told TechNewsWorld.
"Law enforcement has come out strong against paying the ransom for fear it will open up a Pandora's box, but in this case, patients were being diverted to other hospitals and it was severely affecting the hospital's business, so they may not have had a choice," Gainey said.
Moreover, "the cost of cleaning their environment could exceed the ransom that these guys are asking for," he added. Lesson Learned
The scale of the attack was relatively minor. "In the grand scheme of things, this attack is not a large one in terms of records breached, as only individual systems were infected with ransomware," Proofpoint's Kalember noted.
"What makes it notable is that the attack affected systems involved in clinical care," he added.
The incident also may change the thinking of healthcare security pros about their systems.
"People often think of healthcare security as preserving confidentiality of data," said Daniel W. Berger, president of Redspin, an Auxilio company.
"Health organizations have to start considering the fact that the integrity of the data and the availability of the data is in many ways more important than confidentiality," he told TechNewsWorld, "because you can have a situation like this where the hospital had to revert to a manual system to provide care because the data wasn't available."
LA Times:
http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
Hospital press release:
http://hollywoodpresbyterian.com/default/assets/File/20160217%20Memo%20from%20the%20CEO%20v2.pdf
I feel for these guys. Ransomware is some volatile stuff.
This so-called person doing cyber blackmail is somewhere, and of he is caught, I propose a solution. Have a pay per view of his slow execution. The proceeds used to reimburse the people scammed.
They need to turn off Java on all of their systems to keep ransomware from locking their system. If a machine absolutely needs to run Java, it needs to be runnng the latest version and it must be isolated from the rest of the hospital network. A system locked by ransomware can be recovered manually, but it is a tedious process.
One of my office PCs got infected with ransomware last year. It started systematically replacing each of the data files on our network hard drive with locked versions.
Fortunately we have multiple redundant backups of everything. Once we caught it, it was a relatively simple matter of reformatting the infected PC and restoring all of the data files from backups. Of course, I have a relatively small network with only a half dozen PCs.
I would have shut my doors and gone out of business before I would have paid the SOBs a penny in blackmail money.
How is bitcoin supposedly almost untraceable?, my understanding is that all bitcoin transactions receive a unique transaction identification code, and are tracked,similar to how wire transfers occur from one bank account to.another.
This is not to say that recovery of the bitcoin ransom is easy to accomplish, if the attackers are in another country or cash out their bitcoin holdings. Just saying that I don’t understand how we are told that bitcoin is untraceable.
Short answer: use a different BTC (Bitcoin) address for every transaction.
Medium answer: a Bitcoin wallet comes with a default “key” (address)...if you do multiple transactions with the one address you start to become “traceable”. Use multiple addresses (or even a new address for each transaction) & change wallets frequently and you are fairly “untraceable”.
Long answer: https://bitcoin.org/en/protect-your-privacy
I worked in Hospital IT
The problem most likely isn’t in the IT Department.
Our HR & Accounting department insist on running ADP timekeeping & payroll using Java
It is a full time nightmare
Run the Java via a secured hypervisor. This is easily achieved by running it in a VM on the workstation with restricted permissions between the host OS and java-enabled VM’s OS. The Java VM should have it’s NIC disabled and NTFS permissions locked down so the only external accounts to have access are the host OS accounts. Host accounts should only have Read access the java VM’s data files. Host accounts should NOT have write or modify on the VM OS since that is done within the Java VM and it is not necessary for creation of the data files. Similarly, all the Java VM OS accounts should be denied access to the host OS, even System.
If networking is needed between the Java-enabled OS setup a private IP subnet in the core router fire-walled off from everything else.
Oh, and install Key Scrambler for cripes sakes.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.