Three Alabama hospitals have paid a ransom demand to criminals who carried out a devastating malware attack forcing hospitals to turn away all but the most critical patients, Tuscaloosa News reported.
As we reported last Tuesday, ransomware has shut down hospitals’ computer systems and prevented staff from following many routine procedures. Officials are transferring non-critical patients to nearby hospitals and have warned that emergency patients may be relocated once they are stabilized. An Update posted on Saturday said that the diversion process was in place. All three hospitals are part of the DCH health system in Alabama.
Over the weekend, the Tuscaloosa News reported that DCH officials made payments to the people responsible for the ransomware attack. The report did not say how much the workers were paid. A statement Saturday from DCH officials said they had obtained the decryption key but did not say how they obtained it.
The information reads in part:
In collaboration with law enforcement and independent IT security experts, we have begun the process of system restoration. We have been using our own DCH backup files to restore certain system components, and have obtained a decryption key from the vendor to restore access to locked systems.
We have successfully completed testing multiple servers, and are now working on a follow-up plan to encrypt, test, and bring our systems online one at a time. This will be a deliberate improvement that will prioritize the primary systems and services necessary for emergency care. DCH has thousands of computers in its network, so this process will take time.
We cannot provide a specific timeline at this time, but our teams continue to work around the clock to restore normal hospital operations, as we bring system components back online across medical centers. come. This will require a time-intensive process to complete, as we will continue testing and validating secure operations as we go.
DCH representatives did not respond to an email seeking details and comment for this post.
To pay or not to pay
Law enforcement officials and security experts generally discourage ransomware payments because such payments encourage more attacks, and there is no evidence that criminals will deliver the key as promised. And even when criminals generate a key, sometimes malware can completely destroy some of the encrypted data. Just like us FAQ published by DCHThe strain of ransomware that attacks hospitals is known as Ryuk, which specializes in digging deep into infected networks to collect large payments.
“Ryuk is particularly nasty as the code has bugs that make it corrupt about one out of every eight files it encrypts,” Brett Callow, a spokesman with security firm Emsisoft, told Ars. “So there is almost always data loss in these cases even when the ransom is paid.”
Emsisoft provides free tools that it says can often recover data attacked by ransomware. But even when successful against Ryuk, those tools do not allow the damaged files to be recovered.
The dark side of not paying payments is this: often, organizations attacked by ransomware end up paying very high costs when they choose to refuse the requests. Instead, they try to repair damaged networks themselves. Baltimore City, for example recently paid more than $18 million to restore its ransomware-stricken network. The criminals in that attack had demanded $70,000, but both the city and FBI officials discouraged the payment.
The rise of ransomware over the past five years underscores the importance of having a strong and reliable backup system that IT staff can use in the event of a ransomware attack or other major data wipe event. As it turns out, backup processes are often not as powerful as they should be, and even when they are, restoring networks only from backups can also be costly and time-consuming.