If You Pay The Ransom, Will You Recover?

Recently, an Alabama-based DCH Health System announced that it had paid the hackers behind a ransomware attack that hit the system over a week ago. This was soon after the FBI warned that sophisticated attacks like this are expectedly on the rise in Q4 of 2019.

How does a ransomware attack work?

Essentially, a ransomware attack crawls your network, all files on each computer or device it encounters along the way on the network. Typically attackers demand ransom payments (in cryptocurrencies the likes of Bitcoin) in order to provide a decryption key.

Over the past few years, ransomware attacks hitting DCH have grown to be the norm in healthcare. Small clinics all the way to enterprise healthcare systems, alike, have suffered from ransomware recently.

In the recent past, ransom demands have increased to amounts many facilities—even local governments—have been reluctant to pay (the demands have increased multi-fold over the past year for a variety of crime rings).

The Alabama incident late last month has become one of the most-watched and highest profile events this year for a variety of reasons.

In the case of DCH, medical staff at all facilities, including Tuscaloosa, Northport and Fayette, were forced to close doors to in-coming patients and were forced to switch to manual paper methods as a result of locked down computer systems. All three hospitals were diverting patients to Birmingham-area and Mississippi hospitals, as a result of being overloaded workloads from paper downtime procedures.

While DCH hasn’t released the sum of money paid for the ransom, cyber experts are concerned with the ransom payment for several reasons:

1. It puts DCH as a prime target for future attacks—with a history of paying a ransom, DCH is more than 3 times more likely of getting hit again. You see, cybercriminals take note of when an organization actually pays a ransom and many publish lists of these victims on the Dark Web. The likelihood of a victim paying a ransom actually getting hit a second time with a ransomware attack is more than three times that of an organization that declines to pay.
2. DCH PHI may be published online—one of the biggest fears from a variety of cybersecurity experts is that DCH is putting its patient records at risk. While DCH officials assure that no PHI was accessed during the decryption process, experts warn that the decryption key touches every single file it decrypts (and sends back messages to the criminal’s server in the process). It is unclear how DCH can validate their claim that no patient data was breached. Many cybercrime rings have released files after secondarily asking for additional payments from victims, leaking sensitive information across the internet.
3. Decryption will NOT completely restore systems—especially with the Ryuk ransomware virus in question, experts already know that paying the ransom historically has led to partial decryption of files. This means that even when an organization pays for a decryption key, it may end up with a file system that has critical information still locked down and encrypted. Since many viruses like the Ryuk strain contain many bugs, they are not sure fire and trustworthy programs that do what they’re intended on doing. Even if you pay the ransom you may end up with an encrypted machine!

If you pay a ransom you are fueling more attacks

One piece that many don’t initially consider is that when you pay a ransom, you are fueling the cybercrime community. Where does your money go? Into developing more devastating and life-altering viruses targeting hospitals, governments and other entities. By paying a ransom, you essentially are fueling the organizations that are committed in causing you and your community harm. In many cases, these bad actors are government-sponsored state attackers that are vigorously working at attacking US-based facilities. Is this something you really want to invest hard-earned dollars in?

One last thought—the FBI warned earlier last week that ransomware attacks are becoming more targeted, sophisticated and costly to clean up. As hospital systems like DCH get attacked (we already know they are targeting healthcare) and systems lean towards paying the ransom as a quick fix to solving an immediate issue (this is a very hard decision and I’m sure was in the case of DCH), will hospitals be hit harder and have even worse problems treating patients they have dedicated in serving?

Many facilities have stepped up to the plate to ensure their facilities are secure against ransomware attacks like the Ryuk virus. The question is: are you doing everything to keep ransomware viruses at bay in your facility?