Ransomware is one of the more insidious types of malware making the rounds as well as the news. It is a piece of software that encrypts your data and holds it at ransom. Until very recently, this has been an attack that strikes individuals. Once a ransom has been paid, the perpetrator would then provide the victim with the key to decrypt their data.
However, on or about February 5, a hospital in California fell victim to ransomware which effectively shut down the hospital’s IT systems. The Hollywood Presbyterian Medical Center was reported to have had their systems compromised by the malware attack, and some media sources have set the purported ransom demands to be as high as US $3.6 million. After repeated attempts to restore their systems and data, it was reported on February 18 that the hospital paid a ransom to the perpetrator(s) of 40 bitcoins, the untraceable cryptocurrency, that was worth approximately US $17,000 at the time. While that is of course much less than $3 million, it is still a very significant cost which, when coupled with the public knowledge of the attack, places the hospital’s reputation in question.
Allen Stefanek, the Chief Operating Officer for the Hollywood Presbyterian Medical Center, confirmed that the ransom was paid, stating that “the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.” He also confirmed that after paying the ransom, the hospital received the keys to decrypt their data, and normal operations were resumed after the systems were cleansed of malware.
While the hospital did what they felt was necessary to restore normal operations, many may argue that they should not have paid at all. The concept of “not negotiating with terrorists” is not too far off the mark, though of course this was not a terrorist act, merely a criminal one. However, there are some things to consider.
Often, ransomware attackers may not realize that they have compromised a business, and so their demands are for sums that individuals could afford. If presented with a ransom demand that is relatively trivial in amount, and lacking any reliable backups from which to restore, it may make sense to pay up quickly, before the perpetrator realized they could ask for more. It’s very close to settling a nuisance law suit because it’s cheaper than defending against it – it my personally offend your sensibilities to do so, but it may also be the more cost-effective solution.
Late last year, the FBI’s Joseph Bonavolonta, while speaking at the 2015 Cyber Security Summit, advised his audience that businesses who are victimized by ransomware may just need to pay up. Bonavolonta said “To be honest, we often advise people just to pay the ransom.” If that’s the advice from law enforcement, who’s to say that’s not the right call?
Should the hospital have paid the ransom? That depends. If they were unable to recover the data in any other way, and they were able to negotiate the costs down to a point where paying was the cheaper alternative to starting from scratch, then they may have had no other choice. There are also other things that come into play. Having a hospital attacked means you are dealing with life and death situations. You are dealing with patients not receiving the care they need. You are dealing with loved ones and patients who are already on edge because they are afraid, and now they are also afraid that their data has been compromised. And what is more valuable in this situation? The ransom, or the health of the customers?
But by paying the ransom, they have only proven to criminals that rather than targeting individuals, others have been successful with targeting enterprises. We can certainly expect further incidents of ransomware being used against other companies in the coming months. If your business falls victim to ransomware, whether you pay the demands or not is a decision you will need to make. Preventing malware from getting in is the best way to avoid this issue. Cybersecurity awareness, a robust email security solution, internet monitoring software, and protecting your endpoints will go a long way to better prevent ransomware.
Having a strong Disaster Recovery program that includes offsite/offline backups, so that you can recover quickly without having to pay up, is probably the better approach.