Hollywood Hospital Paid $17,000 Ransom To Hackers

[HardOCP News]

If you've ever wondered why hackers do this kind of thing it's because it works. Normally it's a couple hundred bucks at a time though, not the $17,000 this hospital just put out.


A Los Angeles hospital paid a ransom of about $17,000 to hackers who infiltrated and disabled its computer network because paying was in the best interest of the hospital and the most efficient way to solve the problem, the medical center's chief executive said Wednesday. Hollywood Presbyterian Medical Center paid the demanded ransom of 40 bitcoins — currently worth $16,664 dollars — after the network infiltration that began Feb. 5, CEO Allen Stefanek said in a statement.

 

[Az Syndicate]

$17k probably not a lot to a big hospital. The negative publicity, Possible HIPA violations, etc. That is what is going to cost more. My guess is this Hospital hires a CISO in near future.

 

[ir0nw0lf]

They didn't call CSI: Cyber?

 

[ShagnWagn]

What happens when the hospital can't recover the some of the data hijacked? Do they have access to sue the hackers? I would say to not pay until they disclose who they are so they can even possibly work with them if there are issues.
I take it the hospital did not keep backups.

 

[m33pm33p]

What happens when the hospital can't recover the some of the data hijacked? Do they have access to sue the hackers? I would say to not pay until they disclose who they are so they can even possibly work with them if there are issues.
I take it the hospital did not keep backups.

If they're paying these 'hackers' vice going after them with the propert authorities, something tells me they are not going to be able to find them and sue them...

The 'hackers' sure as hell are not going to go ahead and out themselves just because they've now been paid...

 

[heatlesssun]

That time when unbreakable encryption does any thing but protect privacy. Would love to know how this got on their network.

 

[Deleted member 83233]

That time when unbreakable encryption does any thing but protect privacy. Would love to know how this got on their network.

We are regret to have informed you that you're bank account haz ben compromised. Please click here to see your statement, and help us begin these tracking process.

Sincerely, your bank...

 

[heatlesssun]

We are regret to have informed you that you're bank account haz ben compromised. Please click here to see your statement, and help us begin these tracking process.

Sincerely, your bank...

Social engineering is probably a good guess but there'd still need to be some local executable run and there are a lot of effective ways to shut that down.

 

[Deleted member 83233]

Social engineering is probably a good guess but there'd still need to be some local executable run and there are a lot of effective ways to shut that down.

True, but I'm always surprised by what people will click on. I'm a sys admin, and I see this stuff all the time. We keep things pretty tight here, and rarely does anything like this even make it to the users. We also send out reminder emails to tell people not to open anything they aren't expecting from someone, and give some guidance one what they just shouldn't open anyway. There's always someone that gets one though, and is quite happy to click on everything, open files, say yes to prompts, etc. etc. Funny enough, it's usually an executive or supervisor type that does it.

 

[JesDer]

Social engineering is probably a good guess but there'd still need to be some local executable run and there are a lot of effective ways to shut that down.

.. when it is a legitimate attack, systems have a way to just shut that down.


The truth is that Security is an ever changing battle and the bad guys tend to win in the end. Traditional protections are not as effective as they use to be. Sure firewalls and Antivirus software might stop 99.999%, but that 0.001% is enough to be a huge problem.

What I am most surprised about with the article is the amount paid. This suggests the bad guys knew what they hit.

 

[Zarathustra[H]]

The problem with paying a ransom to hackers is that there is no way to be sure they dispose of the data. It could turn into a string of never ending demands.

In a few weeks or months:
"Hey, guess what, we still have youtr patient data. Pay us another $17k"

Or worse, the hacking group could be simultaneously marketing the data to those who would misuse it.

Truth is, you can't trust a criminal.

it would be better if they owned up to the breach, and took as many precautions necessary, including informing all the affected people. At least then they know, and can take precautions.

 

[ShagnWagn]

The problem with paying a ransom to hackers is that there is no way to be sure they dispose of the data. It could turn into a string of never ending demands.

In a few weeks or months:
"Hey, guess what, we still have youtr patient data. Pay us another $17k"

Or worse, the hacking group could be simultaneously marketing the data to those who would misuse it.

Truth is, you can't trust a criminal.

it would be better if they owned up to the breach, and took as many precautions necessary, including informing all the affected people. At least then they know, and can take precautions.

I believe they didn't take the data, although I guess they could if they can get through the firewalls. I think it's just an in-place encryption. Am I right?

 

[Zarathustra[H]]

I believe they didn't take the data, although I guess they could if they can get through the firewalls. I think it's just an in-place encryption. Am I right?

Ahh, that makes more sense then. But they did speak about HIPAA, which are medical privacy regulations. In place encryption wouldn't have HIPAA implications.

 

[ShagnWagn]

Ahh, that makes more sense then. But they did speak about HIPAA, which are medical privacy regulations. In place encryption wouldn't have HIPAA implications.

That is true. I used to work in the insurance industry. Maybe it is the "possibility" of HIPAA implications. Better safe than sorry.

 

[Scizyr]

The last time I cleaned one of these from a system was about 2 years ago. It came from an email disguised as a UPS tracking statement. The client had been expecting a shipment so they must have been watching closely. The payload was in a new folder on the root of C: and it used an uncompiled vb script which was called by another "clean" executable. The payload propagated through their entire network and hit every machine.

This was how they were getting past every AV software at the time, and I've read they've adapted their obfuscation even further though I haven't seen it in the wild since then, as I'm not doing IT consulting anymore. Luckily for our client we had offsite encrypted backups set up for them and they only lost about 6 hours of work.

 

[nutzo]

d

True, but I'm always surprised by what people will click on. I'm a sys admin, and I see this stuff all the time. We keep things pretty tight here, and rarely does anything like this even make it to the users. We also send out reminder emails to tell people not to open anything they aren't expecting from someone, and give some guidance one what they just shouldn't open anyway. There's always someone that gets one though, and is quite happy to click on everything, open files, say yes to prompts, etc. etc. Funny enough, it's usually an executive or supervisor type that does it.

This.

We got hit with one of these encryption malwares, and it was due to a Sr. Executive clicking on an email attachment.

However, we didn't pay any ransom, as I just restored the files from backup.

 

[heatlesssun]

The truth is that Security is an ever changing battle and the bad guys tend to win in the end. Traditional protections are not as effective as they use to be. Sure firewalls and Antivirus software might stop 99.999%, but that 0.001% is enough to be a huge problem.

You don't have to make it easy for them and I bet in this case that there was a breakdown in "traditional" protections as you call them. Ransomware hits generally hits environments that violate least privileged user and have inadequate disaster recovery procedures.

 

[heatlesssun]

The last time I cleaned one of these from a system was about 2 years ago. It came from an email disguised as a UPS tracking statement. The client had been expecting a shipment so they must have been watching closely. The payload was in a new folder on the root of C: and it used an uncompiled vb script which was called by another "clean" executable. The payload propagated through their entire network and hit every machine.

And this is a violation of least privileged user. Writing to the root of C:? Running untrusted scripts? Basic security 101 stuff that just shouldn't happen in an well managed IT organization. But I understand what there's many smaller shops and individuals that don't have that kind of expertise.

 

[Zarathustra[H]]

True, but I'm always surprised by what people will click on. I'm a sys admin, and I see this stuff all the time. We keep things pretty tight here, and rarely does anything like this even make it to the users. We also send out reminder emails to tell people not to open anything they aren't expecting from someone, and give some guidance one what they just shouldn't open anyway. There's always someone that gets one though, and is quite happy to click on everything, open files, say yes to prompts, etc. etc. Funny enough, it's usually an executive or supervisor type that does it.

Same here. Always surprised. These aren't grandma's in the 90's anymore. People really should know better.

The part that really gets me is that whenever I have received emails with nefarious attachments (which is pretty rare) what always strikes me is that even if I didn't treat anything unsolicited with an extra layer of caution, they are really fucking obvious. Oh that attachment is named Slideshow.ppt.exe. That's REAL subtle. The UAC prompt requiring admin priveleges to open the slideshow should also be a major fucking cue that something is amiss.

In order to fall for something like this, you'd have to be both extremely naive about how the world works AND be borderline computer illiterate at the same time.

I have to admit though, I once fell for a phishing attempt to get my paypal account info. To my defense, I had just woken up was hung over and really groggy, and saw an email from "paypal" with some convincing looking warning about my account having been compromised and needing my immediate attention. In my subdued intellectual state it wasn't until after I clicked the submit button with my password, I realized what was going on. Before the page had even finished loading I was already on paypal.com changing my password. Frightening to think what could have happened had I not caught myself in the last second.

So, I guess my take is, to fall for something like this under normal circumstances, you have to be pretty ignorant,dumb and naive. I wonder in how many of these successful social engineering attacks - however - are because they hit targets who DO KNOW BETTER, but fell for it because these guys catch us when we are not at our best, either hungover and tired, or in a panicked rush trying to meet some other deadline, or even while drinking. You know, in a state where we are not making our best decisions.

 

[Scizyr]

And this is a violation of least privileged user. Writing to the root of C:? Running untrusted scripts? Basic security 101 stuff that just shouldn't happen in an well managed IT organization. But I understand what there's many smaller shops and individuals that don't have that kind of expertise.

I mentioned its location because it was the first payload I saw that used privilege escalation like it was nothing. There are many priv escalation bugs in Windows that never get patched. Also calling scripts from a trusted exe isn't easily combated. That's something monitored by browsers, not by windows itself.

 

[Zarathustra[H]]

And this is a violation of least privileged user. Writing to the root of C:? Running untrusted scripts? Basic security 101 stuff that just shouldn't happen in an well managed IT organization. But I understand what there's many smaller shops and individuals that don't have that kind of expertise.

Well, to be honest, I have worked in almost 10 corporate settings now professionally. It's only in the last two where I haven't had full local admin access to my provided computer. They even made the local admin the default user account. (At the very least they should have set it up with a non-admin user account, and a local admin account I could elevate to when needed), It annoys the hell out of me when I can't even run a cleartype optimization in Win7 because lack of admin access these days, but I understand why they do it.

In other organizations - particularly where you have software developers working - the local user DOES need local machine admin access, and I don't know how they'd handle that. You could argue that Software Developers should know better and not fall for these things, but again, as I mentioned above, we all have our moments when we aren't thinking straight and make mistakes.

All that being said, is it really possible to protect against in-place encryption using access control? At some point a user does need write access to both their files, and probably a shared network resource, and if they have write access, any executable email attachment they run technically probe for where they have write access and in place encrypt everything, even without admin access.

It would seem backups are the only real protection here. You'll still lose the most recent data since the last backup, but at least it limits the harm.

 

[Deleted member 83233]

The only ones that I can partially forgive are the ones mentioned above that look like package tracking, and someone may be expecting one. Still could be prevented by just READING, then asking IT whether you should open it or not, but I kind of understand in those cases. Most people here actually do read before opening something, and then if they have a question about it they typically ask. "Should I open this? It doesn't look quite right..." I'm actually proud of most of our employees. They seem to have at least half a brain.

I think the best way to fight this particular type of attack is like other have said, just have plenty of backups. The MOST useful thing I've found is that if you have enough drive space on your SAN (or whatever your main storage is) allow for plenty of shadow copies! It's so easy to just right click a folder high up in the tree, select an earlier date, and BAM! you're right back in business. Then go to backups for anything that didn't have them (or enough of them.)

 

[nowwhatnapster]

What is shocking is why did they have to pay the ransom rather than restore from on site backup files? Did they not have any backups? Did the backups get encrypted also?

I've seen the crypto virus take on dozens of forms. Hackers have refined the code now that it no longer requires administrative rights to run. It execute from temporary locations like appdata just like any other app that doesn't require admin rights to run. Join.me gotomeeting come to mind.

They can be difficult to detect and slip right past Antivirus solutions.

Then the virus encrypt every network resource that it can get us hands on.

I would assume for the hospital to take a big hit like this a doctor or someone with access into many areas of the network would be the iditot who clicked a bad link in an email

 

[psedach]

17,000$ !!! What's that - like the cost of one colonoscopy at an American hospital?

 

[Jagger100]

That time when unbreakable encryption does any thing but protect privacy. Would love to know how this got on their network.

Bad guys will alway have access to reasonably good encryption.

 

[DooLocsta]

Same thing just happened in Horry County SC, the school system has agreed to pay $8500 to get their encrypted info back as well. They are currently having a hard time acquiring the Bitcoins. Horry County Schools approves paying computer virus ransom

 

[the-one1]

17,000$ !!! What's that - like the cost of one colonoscopy at an American hospital?

Dude, seriously! It's the cost of saying "Hi" to the receptionist.

 

[Deleted member 83233]

Dude, seriously! It's the cost of saying "Hi" to the receptionist.

Or the cost of one 200mg Ibuprofen.

 

[MrTroy03]

Bad guys will alway have access to reasonably good encryption.

It's almost always an email attachment from a spear phishing attack. The email will say here is some important document, or here is FedEx or UPS tracking notice, and the attachment runs code then it downloads the attack over the internet and encrypts files that way. This is LEGIT encryption and not just a scare warning. Even if you remove the malware software or move the files, they are still encrypted legit.

And so far, at least in all of the cases I have read about, paying the crooks actually will provide the decryption key.

 

[Zarathustra[H]]

And so far, at least in all of the cases I have read about, paying the crooks actually will provide the decryption key.

Yeah, It probably only takes one of them not to, and they ruin their entire business model, because suddenly no one will believe them.

 

[heatlesssun]

Just as a personal notice of ironic and I know what I will say next will come across as a Windows 10 promotion to some. And that's fair but still there's some irony here. Obviously there's been all of this talk about Windows 10 spying and security. One feature of Cortana in Windows 10, ironically, is the ability to track packages and that's how I track packages now because the tracking follows all of my devices once added from any other device (Windows 10 shop personally obviously). Once you get the tracking number, there's never any need to look at emails. Of course you do have to get that tracking number, probably from an email, so not perfect but still just one less way to get screwed.

I've said time and time and time again, LOCAL MALWARE>>>>>>>>>>>>>>>>>Windows 10 as far as personal privacy and security goes. I have no problem getting bashed over the head for this, I just can't stop laughing over something like this being a problem when it's built into Windows 10 but yet Windows 10 is the huge threat to privacy and security.

 

[Skarth]

I deal with this at work. It was likely Cryptowall or Cryptolocker. They were not "hacked" into, someone on their network was sent a PDF file that they downloaded and opened, which sets off a script to run the encryption program in the background, it spreads to all available local and networked drives it can. It will run one time, encrypt everything it can except for core OS files, then send the encryption key to a server, then delete itself. You have 30 days to pay $500 in bitcoins over a tor browser to get the encryption key, after 30 days, they double the price to $1,000, and if you don't pay them, kiss your data goodbye.

For reference, the patient zero file was called UtilityBill.PDF most people would never assume it was a virus, it is not a .exe file.

 

[heatlesssun]

For reference, the patient zero file was called UtilityBill.PDF most people would never assume it was a virus, it is not a .exe file.

Another great security feature in Windows 8.x/10. Windows Store PDF apps as well as PDF viewing built into Edge. That said, I'm guessing this person was running as a local admin.

 

[viscountalpha]

I don't think we are done with this story. Even if you pay out a blackmailer, it will still continue.

 

[heatlesssun]

I don't think we are done with this story. Even if you pay out a blackmailer, it will still continue.

Yep.

 

[DPI]

Another great security feature in Windows 8.x/10. Windows Store PDF apps as well as PDF viewing built into Edge. That said, I'm guessing this person was running as a local admin.

As if Metro apps or Edge are any more secure than anything else..

Guess again. Gozi Banking Trojan is now fully compatible with the Edge browser in Windows 10

 

[Dayaks]

We are regret to have informed you that you're bank account haz ben compromised. Please click here to see your statement, and help us begin these tracking process.

Sincerely, your bank...

I worked for a company that would send emails all the time to employees with "click this link to change your password" and shit like that. 100k+ employee defense contractor. I said to our onsite IT guy that this is the opposite of what you want to do, it's training bad habits. Ended up getting hacked by China...

 

[heatlesssun]

As if Metro apps or Edge are any more secure than anything else..

Guess again. Gozi Banking Trojan is now fully compatible with the Edge browser in Windows 10

Wow, a Trojan that when running under admin privileges can do anything. How not novel. How like not least privileged user. Don't fucking always use a computer on the Internet logged in with admin/root access. Not that difficult these days even with Windows unless you're using some poorly designed software.

 

[Zarathustra[H]]

Wow, a Trojan that when running under admin privileges can do anything. How not novel. How like not least privileged user. Don't fucking always use a computer on the Internet logged in with admin/root access. Not that difficult these days even with Windows unless you're using some poorly designed software.

Yeah, it surprises me how common this type of stupidity is.

Having a separate admin account that you only use for admin tasks is the absolute basics of computer security. Running programs and doing shit in an admin account is just about as stupid as the people who disabled UAC when Vista first came out.