WatchPoint Security Blog

Hospital Paid the Ransom, but the Criminals Didn’t Decrypt the Files

Written by Michael Collis | May 24, 2016
Kansas Heart Hospital in Wichita was the latest in a string of hospitals around the country to be hit with ransomware. The amount of the ransom request is unknown, but we do know that the hospital paid the initial ransom, only to be left high and dry as the hackers did not decrypt their files. Instead, they asked for a second ransom to be paid, which the hospital refused to do. "The policy of the Kansas Heart Hospital in conjunction with our consultants felt no longer was this a wise maneuver or strategy," hospital President Greg Durick said.
 
 
The hospital did have a plan if such an attack were to take place, "That plan went into immediate action. I think it helped in minimizing the amount of damage the encrypted agent could do," Durick said.
 
Wouldn’t part of a plan include not paying the ransom and re-build from your backups? Or were there no backups in place?
 
Whatever the solution for Heart Hospital, they can feel the slightest relief that they are not the only victim of cyber attacks recently. In February of this year, a large Los Angeles hospital was hit to the tune of $17,000 in a ransomware attack. Their CEO was quoted as saying it was in the best interest of the hospital and the most efficient way to end the problem.
 
It is not. DON’T PAY.
 
1) You can take the chance of paying the ransom and cross your fingers that this cybercriminal will give you back your data. This is a risky move and one we at
WatchPoint do not recommend. Can you really trust that a cybercriminal is going to do as they have promised? Heart Hospital obviously did. They were wrong.
 
We have seen many cases where even if you wanted to pay, you couldn't. The offender’s
payment system gets shut down. The decryption tool doesn't work or was never even   built. Or, perhaps worst case, you pay, and they ask for more. Hey, if you are going to
pony up the cash once you are going to do it again, right?
 
2) In our opinion, your best option is to restore from back-up. Hopefully, you have made a wise investment in a solid back up company that stores your data off-site. This can get you back up and running in anywhere from a few hours to a few weeks depending on how severe the loss of data was and how it is stored.
 
3) You can recreate all of your data. If you don't have a solid back-up and do not like the idea of paying off criminals, your only other option is to recreate all that data. This sounds like a fun idea, doesn't it?
 
So - What Can You Do to Prevent This?
 
WatchPoint recommends Defense-in-Depth, meaning using multiple layers of defense including WatchPoint CryptoStopper.io. A typical Defense-in-Depth model would include
CryptoStopper.io, updated AV, Endpoint Detection and Response, firewall and intrusion prevention. CryptoStopper.io will continuously monitor your system for ransomware activity. When ransomware is detected, CryptoStopper.io isolates the offending user, notifies you of the infection and prevents any damage from occurring. Learn more and
download a fully functional 14-day test drive. The trial allows you to simulate a ransomware attack on your network and see the isolation process in action.