Hackers successfully took a Los Angeles hospital for ransom, demanding a payment of $3.6 million in Bitcoin for the safe return of its electronic records before ultimately settling for a $17,000 payoff.
It’s not the first story of cyber-criminals demanding a payoff to release infected systems, but it’s one of the most brazen examples to date. While debate rages around law-enforcement demands for back-door access to encrypted online communications, these hackers have turned encryption into a weapon.
Citing reports from local Fox News and NBC News affiliates, the Atlantic sums up the case as an intrusion into the computer systems of the Hollywood Presbyterian Medical Center, beginning last Friday. Once they were in the system, the hackers locked down most of the hospital’s electronic records with encryption software.
Until the hackers provide the key, or white-hat hackers can break the encryption, the hospital cannot access medical records, X-ray results, CT scans, or other test data.
“The fact that hackers were able to encrypt patient records doesn’t necessarily mean they gained access to those files, but the goal of this type of cyberattack isn’t to get to patient information; it’s to make sure that the hospital can’t get to it, either,” writes the Atlantic.
Hospital officials have described the attack as “random.” The Atlantic notes that ransom attacks are increasingly common, with previous targets including not only medical facilities, but even some small police departments.
These crimes are also extremely effective. Security experts note that cracking malicious data encryption can be nearly impossible, and even restoring data backups to a huge computer system can cost much more than paying the ransom. Some ransom viruses even seek out and encrypt or destroy networked backups, or persistently attack recovered data, removing the option of data restoration entirely.
In 2013, one notorious ransomware gang was estimated to have raked in $30 million in just 100 days, in part because they had shrewd business practices and made extra money trading their Bitcoin loot.
Ransomware thieves have a pretty good track record of getting away with the crime, especially if they keep their operations small. An operation called CoinVault was busted by Dutch police, working with the Kaspersky anti-virus company, last September, but there aren’t many other high-profile stories of successful prosecution. Even the FBI has admitted it often advises victims to pay the ransom.
The Hollywood Presbyterian Medical Center tried to put on a brave face, insisting patient care was not compromised and they could do business using paper records, but media interviews with patients made it clear that wasn’t true.
In the end, Gizmodo reported on Wednesday that the hospital agreed to pay the hackers $17,000 in Bitcoin, a move described by CEO Allen Stefanek as “the quickest and most efficient way to restore our systems and administrative functions.”