back to article Hospital injects $60,000 into crims' coffers to cure malware infection

A US hospital paid extortionists roughly $60,000 to end a ransomware outbreak that forced staff to use pencil-and-paper records. The crooks had infected the network of Hancock Health, in Indiana, with the Samsam software nasty, which scrambled files and demanded payment to recover the documents. The criminals broke in around 9 …

  1. BillG
    Facepalm

    Remote Desktop Protocol

    This doesn’t appear to be a data heist. The hospital claimed no digital patient records were taken from its computers, just made inaccessible.

    Oh, so these were honest criminals?

    I'm sorry but a company that is so careless as to allow themselves to be hacked via Remote Desktop Protocol should not be taken at their word.

    1. Anonymous Coward
      Anonymous Coward

      Re: Remote Desktop Protocol

      It was most likely an automated attack rather than targetted anyway, we all know that. The Reg is just turning it into some really crappy hollywood spin.

      Realistically as they apparently can't secure RDP they also don't have proper network tools in operation - so won't be able to say for sure if data was leaked because they probably had nothing monitoring incoming/outgoing traffic and volume.

  2. Anonymous Coward
    Anonymous Coward

    The hospital claimed no digital patient records were taken from its computers

    Based on the technical expertise shown up to this point, I doubt that they are capable of knowing if that is the case or not.

  3. Jonbays

    Clearly they had never actually tested back up and restore procedures and probably not even followed them. Don't bother backing up if you haven't ever tested you can restore from a back up!

  4. johnrobyclayton

    Predators always exist in the presence of prey

    If you choose to be prey then you encourage the existence of predators to the detriment of everyone.

    Choosing to be prey is not taking preparatory steps to avoid being taken advantage of as well as the immediate surrendering of value to predators.

    A Hospital holding up their patients to defend themselves from the righteous criticism of their behaviour is deplorable.

  5. jake Silver badge

    First rule of animal training:

    Never reward bad behavio(u)r.

    1. AndrueC Silver badge
      Thumb Up

      Re: First rule of animal training:

      Agreed completely. If no-one in the history of humankind had ever paid up kidnapping, extortion and blackmail would be of purely academic curiosity. Not only are those paying up rewarding criminals for their actions they are also encouraging them to go for another victim.

      Criminals only do it because it's profitable.

      Unfortunately I would imagine that if you're a victim that's easier said than done :-/

  6. Anonymous Coward
    Anonymous Coward

    Lesson Learned

    Buy more bitcoin. They'll need it to recover from their next ransom. /joke

  7. Adam 52 Silver badge

    With bitcoin pricing the way it is, 4 btc was $62,000 when they paid, it's now (Wednesday morning) $44,000.

    I sort-of hope the baddies didn't cash out.

    I wonder why the authorities don't kill this sort of crime by preventing use of the payment method. Is following the chain too slow?

    1. Prst. V.Jeltz Silver badge

      "I wonder why the authorities don't kill this sort of crime by preventing use of the payment method. Is following the chain too slow?"

      Good question . durisdiction maybe? I know we can see the wallets in question , so in theory a country could pass laws to all exchanges that certain Wallets contain "proceeds-of-crime" coins and to act accordingly... That would have various people up in arms about snooping I guess.

      Also I suppose that until they come to cash out - it *is* fairly anonymouse , and if they spend those coins without visiting an exchange ... they get spread around like real dirty cash would ... it all becomes a muddy mess and criminal is effectivly untraceable?

      disclaimer - All of the above is my own wild uninformed speculation, and may well be incorrect.

      1. Anonymous Coward
        Anonymous Coward

        preventing cashing out

        One approach to enforce money laundering law might be for Interpol to maintain a real time contaminated list of keys blocked from cashing out based on reported crime by a member organisation - or an exchange which receives contaminated coins is fined the cash amount paid plus 10% by money laundering legislation. Any payment within the blockchain from a contaminated key contaminates the key which accepts the payment until the blockchain records a reversal of that payment.

        1. Anonymous Coward
          Anonymous Coward

          Re: preventing cashing out

          One approach to enforce money laundering law might be for Interpol to maintain a real time contaminated list of keys blocked...

          Good idea, but the poster above you highlighted the loophole. If they were never exchanged for cash on an exchange, no one really know what happened.

          The real hacker can still cashed in through other means (like physical cash) and sent the coin to the trader address. At worst, a few tens of thousands unlucky people will get fined without knowing since coins are 'sent' like a gift. Those people would only know they have contaminated coins after receiving it. Not to mention if the traders inter-traded the coins, then everyone will now have connection to the contaminated coins. This is the reason crypto currency do have some anonymity.

  8. adam payne

    The criminals broke in around 9.30pm on January 11 after finding a box with an exploitable Remote Desktop Protocol (RDP) server, and inject their ransomware into connected computers.

    Got hit via RDP *shakes head*

    Update policy?

    Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”

    Sounds like they haven't tested their backups before, hmmmm.

    You may think that you have the best backup policy in the world but if you haven't tested it then you would be wrong. All you have is a piece of paper.

    This doesn’t appear to be a data heist. The hospital claimed no digital patient records were taken from its computers, just made inaccessible.

    Not quite sure if people will believe that statement.

    1. Voland's right hand Silver badge

      Data

      I have some vague recollections on specific legislative regime on medical data in most USA states. It will be interesting if the local prosecutor agrees with their assessment

    2. Captain Scarlet Silver badge

      Or they had tested their backups and like many companies are finding realised it could takes weeks to restore essential services

      1. Flakk

        Or they had tested their backups and like many companies are finding realised it could takes weeks to restore essential services

        Physicians, Business Impact Analysis thyselves!

  9. jms222

    It's not just about backups. It's also sensible permissions like not allowing old fixed documents to be trashed. Also versioning file-systems (such as ZFS). Mostly common sense.

  10. Mystereed

    RPO & RTO?

    They could get their data back from backups without any loss. The meets the Recovery Point Objective.

    They couldn't get it back in time to continue normal operation though. So was their Recovery Time Objective wrong (of course everyone can wait a week, I don't want to pay extra to get it back in 2 hours!) or was the recovery procedure unable to meet the RTO? Which if it is a supplier could result in a claim?

  11. My other car is an IAV Stryker
    Angel

    NIMBY

    My son was in a US hospital for a couple days earlier this month. They were having computer issues during a quarter of his stay, roughly

    Living here almost 13 years, with ~8 family visits to the same hospital (inpatient and outpatient, including births of all our kids), this has been the only time the computers were completely "down" as opposed to the usual "slow". I feared the subject of the article would be said local hospital -- which would have explained the outage -- but I am also relieved it is not.

    Sorry, Indiana. Your problem, not mine.

    1. jake Silver badge

      Re: NIMBY

      "Sorry, Indiana. Your problem, not mine."

      Are you sure? Did they explain the outage, with proof?

  12. Potemkine! Silver badge

    Now that hackers know this hospital pays ransom...

    ... this hospital can expect to be heavily under attack. Because they let RDP servers in the wild, one can suppose there are other major vulnerabilities to be exploited.

    Paying the ransom is like screaming "please attack me again!"

  13. Frank Bitterlich
    Childcatcher

    So, how about organ transplants?

    A quote from an unnamed individual from the hospital which was transported back through time to me from the year 2023:

    "Yes, we know it's a bad idea, but we were running out of kidney donors, so we made the conscious decision to buy a few from the black market. After all, it saved patients' lives!"

  14. Anonymous Coward
    Anonymous Coward

    See how they like it.

    Find out who the hackers are and double their health insurance premiums.

  15. Blotto Silver badge

    would be nice to know if it was cheaper to pay the ransom than staff time to restore then test the restoration.

    A tech is ~ $300 usd per day 10 techs = $3k plus costs for other hospital staff taking longer to do stuff plus outside consultants plus fbi time.

    If the ransomware is priced right and reputable for handing over the keys then paying suddenly becomes a cost effective reasonable option.

    Probably one not looked into in depth until it happens to you.

    1. jake Silver badge

      The first one's always cheap.

      Ask any drug dealer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like