LA Hospital Hit By Ransomware Pays Hackers $17,000: Is It The Right Choice?
After its computer system got taken over by hackers, the Hollywood Presbyterian Medical Center in Los Angeles has decided to pay a ransom of $17,000 in order to regain access.
The hospital was hit by ransomware — malicious software that locks computer systems until a ransom is paid to unlock it.
Media reports says the hackers were demanding the hospital to pay them 9,000 Bitcoins or about $3.4 million, but CEO and President Allen Stefanek confirmed [pdf] these were false. In the end, the hospital shelled out $17,000, which is equivalent to 40 Bitcoins.
Payment using Bitcoins require a particular level of anonymity, and they're described as an "anonymous" form of currency.
Unfortunately, the Hollywood Presbyterian Medical Center is not the first institution hit by ransomware. Based on reports, ransomware attacks have become increasingly common in latest years.
Since January 2013, there had been 100,000 cases of recorded ransomware attacks. By the end of that year, the number skyrocketed to 600,000, according to antivirus software creator Symantec.
Apparently, hackers are moving from attacking individuals to targeting major institutions and companies.
Last year, a police department in Maine paid $300 to unlock hacked files. Boston-area police also paid $500 after their systems were hijacked by a computer virus.
Ryan Kalembar, senior vice president for cybersecurity strategy at Proofpoint, said the hack itself is a simple three-step process.
He said hackers send what appears like routine email — be it an invoice or a bill —with an attached file such as a Word document.
"People click on that," said Kalembar. "They always click on it."
By clicking on the attached document, an "enable content" yellow bar pops up. If that is clicked on, the malicious software starts to lock files with a password or key that cyber criminals or attackers hold.
RSA Network security senior director Peter Tran said Bitcoin is relatively untraceable and completely unregulated.
"We've moved beyond leaving a suitcase of money dropped onto a park bench and moving into more sophisticated means of taking people's information hostage and asking for money," said Tran.
Meanwhile, Kalembar said the hospital's decision was the easy choice, but he wouldn't consider it as the right one.
By surrendering to the hackers' demands, the hospital finds itself in an awkward position of channeling funds into a potentially organized crime, he said.
"We've seen even terror groups finance their organizations by using operations like cybercrime and ransomware," added Kalembar.
However, Tran somehow disagrees. He said that when a person is held hostage, the negotiators would typically say that it isn't right to pay the ransom.
"With this kind of hack, you don't have that kind of time," said Tran. "The complete footprint of your entire life is being held for ransom. All of your information."
Tran said they are moving towards more risk-based profile authentication and layering authentication — not just multi-factor authentication — to safeguard systems against attacks.