Hospital pays $55k during ransomware attack

Criminals hacked into the network of Hancock Health and demanded to pay $55k

On January 11, experts report about the ransomware attack in Greenfield, Indiana — Hancock Health hospital was demanded to pay $55k ransom to get back the access to the data of their patients. According to the analysis, criminals have infiltrated SamSam ransomware^[1] which is used to extort money by encrypting valuable information. 

During the attack in Indiana's hospital, hackers managed to encode more than 1 400 files and marked them with the phrase I'm sorry. Luckily, it is believed that no personal information of the patients was stolen^[2]. Additionally, cybersecurity specialists say that the criminals are eastern European. 

Hospital agreed to pay the ransom despite having backups of the corrupted data

Initially, Hancock Health had backups and could have easily recovered the encrypted data. However, they decided to obey criminals' rules and pay 4 Bitcoins in exchange for the decryption tool on Sunday^[3]. The amount of the ransom equals to approximately $55 000 according to the current exchange rate.

The CEO of Hancock Health, Steve Long said that restoring the information from backups would have taken days or even weeks. Likewise, the hospital didn't even consider it as an option. By paying the ransom, the health institution was already able to use their network on Monday.

According to S. Long, paying a small amount of the ransom was more efficient^[4]:

These folks have an interesting business model. They make it just easy enough (to pay the ransom). They price it right.

SamSam ransomware authors managed to log into hospital's remote-access portal

Hospital's CEO ensures that the ransomware attack was not caused by the reckless behavior of the employees. Even though usually criminals send a malicious email with an attachment which infects the network, this time they have managed to hack into the remote-access portal of the hospital^[5].

They used an outside vendor's username and password to enter the system and install the malicious program on the network. Luckily none of the machines used in treatment and diagnosis were affected. Most of the patients didn't even notice that there is the problem. However, since the portal allowing to check medical records online was down, it might have caused some inconvenience. 

Unfortunately, criminals are only encouraged by the received funds to create more cyber threats and keep attacking other institutions. Likewise, experts say that hospital's decision to pay the ransom was not the wisest choice since there were better options.