If you follow IT security news, you most definitely have heard that the Hollywood Presbyterian Medical Center was hit by ransomware. Consequently, the Center decided to pay the ransom, realizing that they had no choice. However, the claim that the ransom demanded by cyber criminals equaled to 9,000 BitCoin, or $3.6 million, is nothing but a speculation, as revealed by a statement issued by HPMC’s CEO Allen Stefanek.
Initial Claims of the Size of the Ransom Turn Out to Be Untrue
Mr Stefanek wrote that the reports of such payments were false:
The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000. The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.
As seen in the quote above, the Medical Center paid 40 Bitcoins, or $17,000, an enormous amount of money but considerably less than $3 million.
Targeted Malware Attacks Continue in 2016
High-profile, targeted attacks are continuously increasing and affecting various financial sectors, health care being of them. This is not the first case when the affected party decides to pay cyber criminals. Unfortunately, with some ransomware pieces decryption without the unique key in possession of its creators is not possible. Several such cases are yet to be resolved:
- The latest version of CryptoWall (random extensions appended to the filenames which are also changed to confuse the victim even more);
- The latest versions of TeslaCrypt (.micro, .mp3, .vvv extensions);
- The newly disclosed Locky Ransomware (.locky extension).
Even though the hospital hasn’t revealed the ransomware that attacked them earlier this month, we suspect that it may be one of the pieces mentioned above. If not, it was definitely a sophisticated form of ransomware that couldn’t be resolved with any of the known decryption utilities. That, or the hospital couldn’t afford to waste any time and needed to restore normal functionality as soon as possible.
Luckily, no patient was physically hurt by the ransomware attack, nor was it fatal to the employees’ personal information:
It is important to note that this incident did not affect the delivery and quality of the excellent patient care you expect and receive from Hollywood Presbyterian Medical Center (“HPMC”). Patient care has not been compromised in any way. Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access.
Have a look at Stefanek’s statement.
Article Update (Feb 19, 2016)
Our colleagues over at Heimdal Security have just confirmed that the ransomware that hit the Hollywood Presbyterian is indeed Locky. Multiple security analyses also reveal that Locky is closely related to the Dridex malware. More information will be available soon.