A hospital in Indiana paid over $50K last week in order to recover files encrypted in a ransomware attack.
Hancock Regional Hospital, a facility in Greenfield, about half an hour outside of Indianapolis, paid approximately $55,000 in Bitcoin, to stop the bleeding on Friday.
The Indy Star first reported on the attack on Friday, a day before the hospital decided to pay the costly ransom: 4 BTC.
The hospital released the following statement to a local Fox affiliate on Friday:
“Hancock Regional Hospital has been the victim of a criminal act by an unknown party that attempted to shut down out operations via our information systems by locking our computer network and demanding payment for a digital key to unlock it. Unfortunately this sort of behavior is widespread in the world today, and we had the misfortune to be next on the list. We are working closely with an IT incident response company and national law enforcement. At this time, we are deep into the analysis of the situation and see no indication that patient records have been removed from our network. In addition to excellent performance by our IT Department, our clinical teams have performed exceptionally well, and patient care has not been compromised. Our doors are open at Hancock Regional Hospital.”
The hospital used pen and paper throughout the day on Friday and patients continued to receive care. Rob Matt, the hospital's chief strategy officer told the Indy Star at the time that only the hospital's email system, electronic health records, and internal operating systems were being held hostage by the attackers. Patient information was not impacted by the attack.
Hancock Regional didn’t disclose the attack publicly until Monday, when it published a statement to its blog:
“Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected. Hancock is continuing to work with national law enforcement to learn more about the incident. We plan to provide additional information to our community regarding this act soon.”
Steve Long, the hospital's CEO told local publication The Greenfield Reporter that attackers used SamSam, a strain of ransomware that usually infects systems via malicious downloaders - to encrypt more than 1,400 files. Each file had its name temporarily changed to “I’m Sorry” in wake of the attack. The information would have been permanently encrypted, the attackers threatened, had the hospital not paid after seven days. It's unclear exactly how the hospital was infected. It was not the result of an employee opening a malware-infected email, a common avenue for SamSam attacks.
The hospital ultimately decided to pay the ransom on Saturday. By Monday, two days later, its systems were back up and running per usual. Restoring the backups the hospital had could have taken days, or weeks according to hospital management.
"It wasn't an easy decision," Matt told the Indy Star. "When you weigh the cost of delivering high quality care... versus not paying and bearing the consequences of a new system. The amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.”
“We were in a very precarious situation at the time of the attack,” Hancock Health CEO Steve Long said in a statement. “With the ice and snow storm at hand, coupled with one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”
Hancock Regional’s actions of course run counter to those recommended by the Federal Bureau of Investigation. The FBI began encouraging companies not to pay attackers in 2016. The agency released a series of steps to follow instead, like backing up data regularly and securing those backups.
SamSam isn't new; the ransomware was spotted by researchers with Cisco Talos back in 2016 targeting servers and systems that run in hospitals. Researchers with the firm AlienVault said last summer the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations. The FBI issued two FLASH alerts on SamSam in 2016, somethign which brought further attention to the group.
Erie County Medical Center, a medical facility in Buffalo, NY, was hit by SamSam last year. Unlike Hancock and many other hospitals ECMC elected not to pay the ransom, $44,000. Instead the hospital relied on paper charts and face-to-face messaging for weeks. ECMC stuck to their guns by refusing to pay the ransom and eventually managed to restore critical hospital systems over the course of a month.
