Slashdot Mirror

← Back to Stories (view on slashdot.org)

L.A. Hospital Pays Off Ransomware Thieves To Reclaim Its Network (google.com)

Posted by timothy on from the let-me-guess-the-operating-system dept.

Los Angeles' Presbyterian Medical Center, the target of a successful ransomware attack (successful from the thieves' point of view, that is) has buckled under: to regain control of its network, the hospital has paid a 40-bitcoin ransom (about $17,000) to the gang responsible. That, at least, is a far cry from the much higher ransom widely reported to have been initially demanded: 9,000 bitcoin. (That would have meant a payment of $3.6-3.9 million.)

27 of 159 comments (clear)

  1. Preeeecious by Tablizer · · Score: 4, Insightful

    They fed the trolls.

    --
    Table-ized A.I.
  2. At that price... by MrKrillls · · Score: 2

    Cheaper to pay than to fix it themselves. Yes?

    --
    Don't step on the baby.
    1. Re:At that price... by Harlequin80 · · Score: 3, Informative

      By an absolute mile. At $17,000 you would just pay it straight away. They would have lost far more as a result of the systems being offline, and assuming the ransomware had got itself all through they systems it would have been orders of magnitude more to clean the system if it was even possible.

    2. Re:At that price... by Jeremi · · Score: 5, Insightful

      Of course, this does assume that the ransomers won't come back and ask for more money next week.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    3. Re:At that price... by MtHuurne · · Score: 5, Informative

      It's a short-sighted solution though. Their systems are still vulnerable, probably even still infected. And they validated the business model of the attackers, so more attacks will be coming.

      Also, while the CEO insists that hospital records were not compromised, I'm reading that as "the attackers weren't interested in hospital records", not "the hospital records were safe".

    4. Re:At that price... by arbiter1 · · Score: 4, Insightful

      Or that the theives didn't already download a ton of patient data off their machines which since they accepted such low amount from what they wanted sounds like they got enough info to make a ton of $ off identity theft.

    5. Re:At that price... by Harlequin80 · · Score: 3, Insightful

      Short sighted from an industry view, probably not from the hospitals view. You would hope they have air gapped their network from the internet at this stage while they reappraise their security and plug holes. From my understanding the ransomware attackers don't normally attack the same target twice as you are less likely to pay up if you think it will happen again. So this should protect them from the current infection.

      It also wouldn't surprise me if patient records were untouched. Those are probably behind higher levels of security than the rest of the network. What I suspect happened is they lost a way of accessing them because all their other systems went down.

    6. Re: At that price... by Maritz · · Score: 2

      That's the per-sheet rate. Can believe you thought you'd get a whole roll just for that. The very idea, LOL !!!

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    7. Re:At that price... by KGIII · · Score: 2

      It's true that that's a good assumption to make but there's no real way to know if they had anything with a greater complexity than simply encrypting via remote. I've actually seen/read some of the malware that is out there - it was actually up on GitHub and at PasteBin. I can't actually say, for certain, what it was but it is pretty simple. It's not nearly as complicated as one might think - and it doesn't actually do anything more then just encrypt.

      Basically, the two samples that I've seen did this:

      Get attached to something - it rides in via a trojan or an exploit in a browser or something like that.
      It sends back a report to a C&C server.
      It checks for attached shares, drives, attached devices.
      It sends back a report to the C&C - it is not a RAT or anything like that. (Usually a compromised server, seems to be a PHP page.)
      As near as I can tell - I've not seen the C&C itself, it then lets them send a command when they want and not much else - it just lays dormant.
      It will keep sending reports to let you know if it's found new connected devices and it continues to wait.
      They encrypt it (I guess they could wait) and it generates a key and assigns that device/devices/hack a number.
      I don't know what they do with the key - I assume they save it along with the number.
      This locks the computer pretty much - I think they can kind of select which things they'll encrypt but it doesn't look all that refined.
      It doesn't look like they can even wildcard, they can do whole folders and not, say, *.doc or whatnot.
      They can then send a message that will appear on the screen that includes directions on how to get the key.
      One of them appears to be able to decrypt from remote? I'm not sure if they have a system to store the key at the C&C and point & click.
      They can include other comments, like contact details or whatnot - I assume they do as the hospital was able to communicate with them.
      That's about it.

      So, unless it's packaged with other things, that's all I've seen. I'm sure it can be daisy-chained. It just looks like they package it up with exploits or attach it to executables, or things like that. I imagine they can do some tweaking with it? I imagine they can spear-phish and whatnot. It doesn't look as complicated as we might think. It doesn't do *anything* other than that - in the cases that I've seen.** There's no magic sauce, no real control, it doesn't afford any way to exfiltrate the data, no method to be really all that specific about what they attack, and they can't really encrypt everything or the user would have no control of the OS at all as it wouldn't even boot.

      ** It should be clear that I'm not a programmer. I have done some programming, quite a bit of it. Just not in a long time and I'm not that good. But, if it did more than that, I did not see it in the code. It's really very basic. I have not seen the C&C server but it connects to a PHP file and you simply change that to your own server - I'm assuming they use compromised servers and just keep it hidden in some dusty old folder that the admin is unlikely to notice. There's no reason it couldn't be attached to something else but, by itself, that's all it appears to do.

      --
      "So long and thanks for all the fish."
  3. How much is that in commodity medical supplies? by xxxJonBoyxxx · · Score: 5, Informative

    >> the hospital has paid a 40-bitcoin ransom (about $17,000)

    That's about 340 tablets of hospital aspirin or 680 hospital bandaids for those counting at home.

    1. Re:How much is that in commodity medical supplies? by Rinikusu · · Score: 5, Funny

      17 of those Shkreli specials.

      --
      If you were me, you'd be good lookin'. - six string samurai
    2. Re:How much is that in commodity medical supplies? by dcollins117 · · Score: 2

      It takes a special talent to miss the point so completely.

      While it is true you can buy aspirin over the counter for a fraction of a penny per pill, that is not the same price you will be billed if you are hospitalized in the US and a nurse gives you the exact same aspirin. OP suggested, perhaps tongue-in-cheek, a price of $50 USD per pill. That's only about twice as much as reported here.

      In L.A. I would not be surprised if they charge $50 per aspirin.

    3. Re:How much is that in commodity medical supplies? by ThatsNotPudding · · Score: 2

      That's about 340 tablets of hospital aspirin or 680 hospital bandaids for those counting at home.

      Can you convert that to Danegeld?

    4. Re:How much is that in commodity medical supplies? by U2xhc2hkb3QgU3Vja3M · · Score: 2

      Not my fault if you live in a you're-poor-so-you're-going-to-die country.

      In real countries, health care is free and everyone is billed a small amount.

  4. So, will they ever spend these bitcoin? by JoeMerchant · · Score: 4, Interesting

    And, can the FBI monitor the blockchain to get IP addresses where these coins were accessed from when the hospital handed them over?

    1. Re:So, will they ever spend these bitcoin? by Time_Ngler · · Score: 4, Funny

      Only if they can get the courts to force a silicon valley company to do it for them

  5. Now What? by Irate+Engineer · · Score: 3, Funny

    I'm sure that they are going to take the $3.6 million that they didn't have to pay during this episode and devote that to upgrading and securing their systems to prevent the possibility of future attacks like this. That would be the smart thing to do.

    Right?

    --

    Left MS Windows for Linux Mint and never looked back!

    Vote for Bernie in 2016!

    1. Re:Now What? by aaarrrgggh · · Score: 3, Insightful

      Unfortunately, that is only $8k per bed, or likely around $800/employee. Hell, it is really only two FTEs for the next 5 years...

      A grossly flawed system is much more expensive to fix than that. Maybe they could afford a backup system that is resistant to bitlocker though...

    2. Re:Now What? by Shadow99_1 · · Score: 5, Informative

      lol, I've seen some major hospitals that have 2 entire IT people on staff (an admin and an assistant)... I applied for a network admin position at a hospital with 2 IT employees (though I didn't know that until the interview) for 400 employees and well over 300 connected systems (from tablets doctor's used, to connected hardware, routers, and servers of various types, as well as dedicated workstations for nurses). They also used highly specialized systems that were extremely complex. Oh and did I mention satellite officers for doctor's that are part of their network, but not onsite? Yeah... Huge mess there.

      Because obviously all this tech in a modern hospital can just work on it's own. No one ever wants to keep enough IT staff on hand to deal with regular maintenance because that would take away from executive bonuses. Hospitals are not any different, even as they are required to push further into the digital realm. This is the direct result. Oh and they don't even usually pay that well. Heck I think half the interviews I've had with companies lately are just to 'prove' a native worker wasn't 'qualified' to do the job even though my resume is solid. Good luck to the sucker form India getting those jobs.

      --
      we are all invisible unless we choose otherwise
  6. Backups? by Anonymous Coward · · Score: 5, Informative

    Good god, doesn't anyone keep backups anymore?

    1. Re:Backups? by gavron · · Score: 3, Interesting

      Yes. I have backups. You have backups. You're modded down to 0 for a perfectly reasonable question.
      I'm sure I'll soon join you.

      Meanwhile the dipshits that run public hospitals DON'T have a usable backup strategy, pay trolls ransom,
      and the new slasdhdot posts it as if it's big news.

      Big news would be if someone actually had a backup and DIDN'T pay the ransom... or if they got LEOs
      to actually FIND the bad guys. Paying ransom... heck, even the LEOs pay ransom. https://www.google.com/search?...

      E

    2. Re:Backups? by Solandri · · Score: 5, Interesting

      A friend of mine runs a multi-million dollar construction supply company and her work computer got hit with a ransomware virus. As she is manager/accountant, it was pretty serious. Fortunately she had a competent IT staff which regularly backed up her system . So they just pulled her computer offline (so it couldn't spread to other systems), and restored everything to a new computer (this is why companies like to buy a bunch of identical Dell systems). And she was back in business the next day.

      Except for one file which she had been working on the day the ransomware hit, and thus hadn't been backed up. As it turned out, the ransomware authors had programmed it to allow the victim to decrypt one file - to prove that it could in fact be decrypted, and hadn't just been deleted. So she of course chose that file to decrypt, and ended up with no data loss. The only loss was she couldn't work for a day.

      That's why you never hear stories of competent IT saving the day. When they do, it's a non-event about as serious as someone calling in sick for a day. It's only when they fail that the problem becomes serious enough to be news-worthy.

    3. Re:Backups? by JoeMerchant · · Score: 2

      Anyone who has over 1GB of "valuable business information" is either archiving video, or doing it wrong. The age old strategy of hourly backups for 24 hours, daily backups for a week, weekly backups for a month, monthly backups for a year, and annual backups beyond 12 months only requires 45x the storage space of the original, and backups can be compressed.

      A $99 2TB drive should be able to easily store 25GB of valuable data, backed up hourly - for all the hours that matter to anyone.

    4. Re:Backups? by Chris+Mattern · · Score: 3, Informative

      A common strategy here is to encrypt to files, insert a transparent decryption layer, and then wait a few months before yanking the decryption. Backups are no good because they're encrypted too.

  7. The solution to ransomware... by davidwr · · Score: 3, Insightful

    ... is for someone to figure out an efficient way of tracing the full transaction history of any given "coin." Yes, I know that "in theory" it's do-able but it's just plain not feasible right now.

    Yes, I know BC "coins" as such don't have a history, but transactions do. If a coin is the "output" of a transaction then its "parent coins" are all the coins that went into the transaction, in proportion to each other. Yes, you can "launder money" but all that does is "spread the dirt around" resulting in "slightly dirty" BC that are considered only as fractionally valuable as their "clean" fraction.

    For example, if a ransomware victim, in cooperation with the police, pays 40BC to crooks, the crooks will of course launder the money immediately, probably several times over. As soon as the keys are recovered and there is no more danger of the crooks "getting revenge," the police issue a notice that all BC whose "transaction history" included this transaction are "tainted by the dirty transaction."

    At this point, reputable companies who trust that particular police authority will only accept "tainted money" based on the "clean" portion of its value. Those who happen to be stuck with the "dirty money" are pretty much out of luck, in much the same way that I am out of luck if a store clerk accepts a very good counterfeit $5 bill from a crook then later innocently hands it to me in change later that day.

    Yes, this setup has many flaws, but it's better than the status quo. Some obvious flaws include:
    * it's currently not feasible
    * there are many police authorities, and people trust them to different degrees, so the BC in your wallet may have a different value depending on who you want to do business with.
    * Whoever has coins "descended" from tainted coins at the time they are announced as tainted will be stuck with the loss
    * There is no built-in appeal for a police authority declaring a particular transaction "illegal" and declaring the coins received in that transaction "tainted". The only deterrent is that if a given police authority gets too sloppy or too abusive, fewer and fewer people will honor its declarations.
    * There are no doubt other flaws, this is just the ones that came to mind immediately.

    Of course, the real solution to ransomware is backups, backups, backups, but we all know that's not going to happen any time soon. Sigh.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  8. Re:That's expensive by Anonymous Coward · · Score: 2, Funny

    ef46a09784cd9fe65c547972f916eb2c

    Your post has just been encrypted with an unbreakable MD5 algorithm! Only I have a the key!
    Pay me 1 million Dogecoins to get your post back! My address is DHrB6mgSAgwGiKw3YKn2VrN9PPq3bbHCFx

    Wow
    Such ransom
    Many encryptions
    Wow

  9. Re:I've said it before, and I'll say it again: by Kardos · · Score: 2

    Link for the lazy: https://hbr.org/2009/10/when-h...