View All R&D Articles

Indiana Hospital Pays $55,000 to Get Rid of Ransomware

January 24, 2018

On January 11, Hancock Health became the latest medical center to fall victim to a ransomware attack. The Greenfield, Indiana hospital says its files were backed up, but opted to pay the $55,000 ransom anyway to more quickly restore its systems.

Hospital staff used paper and pencil while the computer system was evaluated.

Hancock Health CEO, Steve Long, told the Greenfield Daily Reporter that no appointments were canceled as a result of the attack (though snowy weather helped by causing cancellations and reducing patient volume). Many hospital patients didn’t even know there was an issue, and Long doesn’t think any sensitive information was compromised in the attack.

According to a Fox affiliate WISH, SamSam is the ransomware that infected Hancock Health. After encrypting files, the malware displayed a a ransom note that demanded four bitcoins (which was approximately $55,000 at the time of payment).

“We wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients,” Long told WISH. “Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”

SamSam targets vulnerabilities in servers and requires no interaction on the victim’s part.

Many ransomware attacks are the result of incautious employees clicking on malicious links or attachments in emails. SamSam instead searches for vulnerabilities on servers that have not been properly configured or updated.

According to an FBI statement, SamSam has successfully targeted healthcare facilities in the past. One noteworthy case is that of Erie County Medical Center (ECMC) in Buffalo, New York. After being infected by SamSam, the hospital decided not to pay the ransom. ECMC had backups and administrators doubted that the hackers would restore files even after being paid. Staff used workarounds and non-electronic processes for over a month before all functionality was restored.

“Our people were tested, and it blew me away. They have been resourceful, and have rallied around each other and the patients,” ECMC CEO Thomas Quatroche told The Buffalo News. “There also was a silver lining in that we learned that having administrators do rounding through the hospital is something we need to do more of in the future.”

While Quatroche keeps his perspective positive, the ransomware did a great deal of financial damage. Officials estimate that the attack cost $10 million. Overtime and lost business made up some of the losses, but much of the money went toward beefing up hardware and software to ensure a ransomware attack never succeeds again.

Whether victims pay a ransom or not, the FBI encourages them to report cyberattacks.

Businesses affected by ransomware should report the incident to the Internet Crime Complaint Center. By tracking attacks and tactics, the FBI has a better chance of catching hackers and helping businesses avoid infections.

There were almost 3,000 reported complaints about ransomware in 2016 and because fraud is severely underreported, the actual number of attacks is likely much higher. The attack on Hancock Health proves that medical centers remain an attractive target to cybercriminals. Hospital administrators should take measures to improve their IT security and consider buying cyber insurance.