Incident Of The Week: Hospital Pays $55K In Bitcoin After Ransomware Attack



Dan Gunderman
01/19/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a security event that unfolded at Hancock Regional Hospital, in Greenfield, Ind., and knocked out systems for multiple days.

Hancock was hit with a ransomware message at 9:30 p.m. on Thursday, Jan. 11, according to the hospital’s website. This came after staffers noticed that their computers had slowed. What followed was a careful decision-making process amongst hospital executives that led to a $55,000 ransomware payment, in Bitcoin, to a still unidentified hacking group.

The payment was made so that the hospital could regain control of its files – which were encrypted in the ransomware melee. Residual effects of the breach are still ongoing, but after the payment, most systems were back online by Sunday.

News of the breach was reported by the Greenfield Daily Reporter. The story suggests that hackers targeted 1,400 files which were subsequently encrypted and relabeled “I’m sorry.”

The hospital was given seven days to arrange payment or permanently lose the data. Hancock Health’s CEO, Steve Long, has since said that no personal patient information was lifted, and that the hackers are believed to be stationed in Eastern Europe.

See Related: Incident Of The Week: Phishing Scam Affects 30K Medicaid Members

The Daily Reporter’s piece suggests that while the files were backed up and recoverable, it could have been a time-consuming process to orchestrate. Instead, the hospital opted to pay the ransom.

The hackers demanded four bitcoins (the hard-to-trace cryptocurrency), valued at $55,000, the report suggests. The payment was made at 2 a.m. Saturday, Jan. 14.

Hancock was hit with a strain of malware called SamSam, which Long said is shrewd in selecting its price tag for a ransom.

Before the issue had been resolved, the hospital staff resorted to pen and paper for its medical record maintenance. Its patient portal (for online medical records) took a hit during the attack.

The hospital’s Senior Vice President and Chief Strategy and Innovation Officer, Rob Matt, told the outlet that resorting to the age-old pen and paper method was not difficult for the medical center – which prepares for such instances.

After the hackers received their bitcoin payment, the hospital files were released. By midday Saturday, IT staffers were combing through the formerly encrypted files to inspect for additional malware. By that time, the hospital’s network servers as well as Wi-Fi were also running. The next day, the online medical record portal had been repaired.

See Related: Incident Of The Week: 247K DHS Workers Exposed In Data Breach

By Monday, systems were fully restored. It was later determined that the hackers gained entry by using the hospital’s remote-access portal. They utilized valid credentials from an outside vendor; it was not malware-related.

In order to remediate, Hancock enlisted the help of the Indianapolis-based cyber security company Pondurance, LLC., along with the FBI. The agency generally does not endorse ransomware payments. It leaves the crucial decision to the enterprise. It did not advise Hancock on which direction to take, the Daily Reporter notes.

Following the breach, employees reset passwords and IT staffers deployed additional software to sniff out abnormal behavior on the network. Hancock Regional also has cyber insurance for related incidents.