Alabama-based DCH Health System said it has paid off the hackers behind a ransomware attack that severely disrupted operations at three hospitals beginning on Tuesday morning, according to a Saturday report by Tuscaloosa News. The news closely follows an FBI warning that the number of sophisticated attacks on businesses and state and local governments is continuing to climb.
Ransomware attacks work by encrypting entire file systems, with attackers demanding ransom payments (typically in cryptocurrency) to provide the correct decryption key. In the last few years, targeted ransomware attacks on businesses demanding big payouts have become one of the highest-profile cybersecurity issues in the country. In the Alabama incident, medical staff at hospitals in Tuscaloosa, Northport, and Fayette were forced to switch to a manual paper system to track patient data while their systems were down. All three hospitals said they would divert “all but the most critical new patients” to other area health care centers for the duration of the outage.
DCH officials haven’t revealed how much was paid, according to the Tuscaloosa News, but system spokesman Brad Fisher said on Saturday morning that the company had teams working constantly to undo the damage and no patient information was compromised. A data breach on Friday at UAB Medicine in Birmingham, in which hackers unsuccessfully tried to steal automatic payroll deposits, appears to be unrelated, the paper reported.
“We worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interests of our patients and in alignment with our health system’s mission,” Fisher told the Tuscaloosa News. “This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety. For ongoing security reasons, we will be keeping confidential specific details about the investigation and our coordination with the attacker.”
In a statement on the DCH website, the company said it was working with law enforcement and IT teams had begun “using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems.” DCH will continue redirecting patients to other institutions in the meantime, the statement continued, because the recovery will “require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go.”
The specific ransomware variant involved has been reported to be Ryuk, which the UK’s National Cyber Security Centre warned in July 2019 has become a global threat. According to security firm Crowdstrike, there is significant evidence that Ryuk attacks may be being coordinated by a single cybercrime group based out of Russia known as GRIM SPIDER (which appears to be a “big game hunting” cell of a larger group, WIZARD SPIDER).
“Payouts are the fuel that drive ransomware attacks,” Brett Callow, a spokesman for cybersecurity firm Emsisoft, told Gizmodo via email. “The only way to stop attacks is to make them unprofitable. That isn’t to say that impacted entities should never pay—an organization like a hospital may have little choice in the matter—but rather that they should bolster their security to avoid being impacted in the first place. And this is especially true for entities like hospitals which provide critical services.”
Earlier this month, Emsisoft released a report indicating that in the first nine months of 2019, at least 621 “government entities, healthcare service providers and school districts, colleges and universities” have been subject to ransomware attacks. The cost of the attacks is “not possible to estimate” due to the lack of publicly available data, Emsisoft wrote, but the total is known to be in the tens of millions and could be in the hundreds of millions.
Emsisoft also found that 491 of the attacks were on healthcare providers, which included: a community health center in Louisville, Kentucky; an attack on cloud management service PerCSoft that reportedly affected hundreds of dental offices; and an attack on a hospital in Wyoming. The security firm warned that attacks on managed services providers (MSPs), companies that provide external tech support to clients, are on the rise and that average ransom demands are climbing, encouraged by payouts from victims and insurance companies.
Emsisoft strongly encourages institutions and individuals facing a ransomware attack to use free services available on their website and ID Ransomware, run by Emsisoft researcher Michael Gillespie in his spare time, to check whether the specific type and version of the malware involved has already been cracked. However, Callow noted that Ryuk is “probably the most problematic ransomware out there at the moment” because it contains bugs that make it impossible to recover a sizable percentage of encrypted files.
“The code contains bugs that causes it to damage about 1 in every 8 files that it encrypts, so there is almost always data loss in these cases even when the ransom is paid (our solution doesn’t enable those corrupted files to be recovered),” Callow wrote to Gizmodo. “This is due to an error handling issue. In simple terms, Ryuk’s error handling is: ‘If something goes wrong, abort without writing the encryption key.’ This means that if there is an issue with reading or writing a file over the network, which happens a lot, then that file is toast.”
“Consequently, some data is encrypted, but the encryption key is never saved—and because Ryuk doesn’t encrypt files into a copy first, but writes to the original directly, those files are irrecoverable,” Callow added.
The FBI issued a warning on Oct. 2 that ransomware attacks are “becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” with the number of “broad, indiscriminate ransomware campaigns” falling sharply but losses from targeted ones increasing significantly. The FBI added that in some cases, victims who paid ransoms were never given an encryption key.