For many years, those of us working in IT security have heard phrases like ‘why should hackers target us?’. They think they’ve nothing to hide, there’s no gain to be made attacking them so security is neglected on this basis. Unfortunately virtually any individual, company or organisation is a potential target as the Hollywood Presbyterian Medical Centre recently discovered.
The incident occurred on february 5th when hackers managed to infiltrate the hospital’s servers and infected them with malware effectively blocking all communication within the hospital. The software was actually a specific type of malware known as ransomware – specifically designed to hold the victim to ransom – pay up or lose your data. There are two main types of ransomware (although probably more will be developed) –
- Lockscreen – Locks you out of your computer either by blocking boot-up or a screen saver preventing access. There will be usually be a message on how you can regain access.
- File Encryption – Normally will leave the majority of your computer alone but will encrypt all data files making them inaccessible. Again you’ll usually get a message on how to obtain the decryption key.
The lock-screen types can usually be bypassed with some technical assistance, in fact it’s usually very simple to fix. The file encryption ransomware is much more difficult to get rid of if implemented correctly, the only solution is normally to get the decryption key.
Unfortunately for the Hollywood Presbyterian Medical Centre, they were subjected to the file encryption attack which encrypted many of the core data files on the hospital’s computer systems. This paralysed the hospital who were forced to use pen and paper for ongoing record keeping. The hospital realised that the quickest solution was to pay the $17000 ransom to obtain the decryption key despite the obvious risks.
The CEO Allen Stefanek made this call and fortunately with some technical assistance and the decryption key they were able to restore all it’s computer systems. Stefanek stated that patient care was never compromised, nor were hospital records.
However this is a difficult statement to believe although patient care might have been protected, it’s impossible to know whether the hospital records and patient data were compromised. If you have allowed malware onto your computer systems then there’s no way you can be 100% sure what else that software has done, it could have easily stolen data records as well as encrypting them.
The case has been now passed to the FBI, so there is a very strong chance the culprits will be caught. The most difficult part of these attacks is hiding your tracks and is rarely accomplished completely. The attackers did demand payment in bitcoins which is much harder to trace but there network and computer forensics will often leave clues as the origin on the infection or from the ransom demand communication.