maxkabakov - Fotolia

US hospital claims to have fought off a ransomware attack

A hospital in Kentucky claims to have regained control of its IT systems five days after cyber criminals hit it with a ransomware attack

Methodist Hospital in Henderson, Kentucky, claims to have regained control of its IT systems without paying the cyber criminals who encrypted files and demanded ransom for their release.

The hospital is the second in a month to be forced to declare an “internal state of emergency” after being hit by so-called crypto ransomware attacks.

The Hollywood Presbyterian Medical Center shut down its computer network after a malware infection on 5 February 2016 encrypted some of its data, but decided to pay the $17,000 after failing to regain control after a week.

In both attacks, cyber criminals used the same ramsomware known as Locky, which arrives via email attachments and encrypts all the data on an infected systems and deletes the originals.

Security firm Zscaler says it has blocked around 75 unique and new payloads from this ransomware family in the past month alone.

Methodist Hospital claims to have resolved the problem after five days and has removed a banner from its website informing visitors that a “computer virus” was affecting web-based services, according to US reports.  

While the main system was locked, hospital officials said the hospital would depend on its backup system. Security advisors have repeatedly said that ensuring reliable backup processes is one of the best ways of defending against ransomware attacks. 

Read more about ransomware

  • Businesses are still getting caught by ransomware, despite the fact that there are fairly straightforward methods to avoid it.
  • Criminals use devices compromised for click fraud as the initial step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard – but there is a defence strategy that works against it.

The value of defensive measures

The effectiveness of this approach was recently demonstrated by Canada’s Ottawa Hospital, which avoided disruption because the data on four computers locked up by cyber criminals was backed-up. 

"The malware locked down the files and the hospital responded by wiping the drives,” said Kate Eggins, a spokeswoman for the hospital.

ESET senior security researcher Stephen Cobb said the statement suggests the hospital had appropriate defensive measures in place to defeat ransomware, such as an efficient and well-tested backup and recovery process.

Imperva co-founder and CTO Amichai Shulman said the best way to address ransomware is by having a cloud backup system. However, he said that, while most enterprises keep a proper backup system, the operational hassle is substantial.

“By using proper file activity monitoring solutions, enterprises can quickly detect ransomware operating from end stations and quarantine those before they have a significant impact,” said Shulman.

Hackers' options for profit

Tripwire senior security research engineer Travis Smith said ransomware allows criminals to get money from their cyber crime efforts quicker than previous tactics allowed. 

“Previously, attackers could monetise via spamware or reselling data, but making any significant profit on spam required a large install base and was quickly eradicated by well-known security tools, while reselling data requires expertise in both selling data, fraudulent activities and/or the ability to sell on the black market,” he said.

With the rise of anonymous currency such as Bitcoin, said Travis, attackers can infect a machine and prey on the user’s emotional connection to their data. 

“Now, attackers can make hundreds to thousands of dollars per infection and get paid immediately, instead of going through other risky steps to make a profit,” he said.

For businesses, said Travis, paying the ransom is usually decided by comparing the price of the ransom with the cost of restoring data from backup.

“By having a streamlined backup process in place, the cost of restoring data will be reduced to a lower price point than the ransom,” he said.

The growing popularity of ransomware

Ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services, according to the UK National Crime Agency.

In 2013, the NCA’s National Cyber Crime Unit (NCCU) warned of a mass email-borne Cryptolocker ransomware campaign aimed at small and medium-sized enterprises (SMEs) and consumers.

Since then, ransomware has become increasingly popular with cyber criminals, with its use increasing by 58% in the second quarter of 2015, according to a threat report by Intel Security.

Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers.

Read more on Hackers and cybercrime prevention