My thoughts on Hancock hospital paying the ransom

Today I read an article about Hancock Health hospital (US). They suffered a ransomware attack mid last week and decided to pay the ransom to get their data back.

By reading this article it became once again clear to me why ransomware attacks in the healthcare (and any other) sector are very successful and why this is not going to change soon.

The CEO says that it was a though decision, but from a business point of view it was the best option to pay the $55,000 ransom to unlock the more than 1400 infected files. They claim to have backups but it would cost a lot of time and money to recover the files (days, maybe even weeks).

Ok, so if we talk here about millions of files, I can imagine that it takes a lot of time to recover, but if it’s slightly more than 1400 files and you have good backups (that you have tested of course!) than it seems that the files could be recovered fairly quick.

Anyway, let’s assume it takes them several days or even weeks. I see why, from a business and operational point of view, it seems for the company the best option to pay the ransom. But there are many reasons why they shouldn’t have done it:

  • By paying the ransom companies give criminals an incentive to keep executing ransomware and other attacks. If no one would pay their business model would break.
  • If you pay, your company becomes a bigger target. Criminals also read the news and know that who pays the ransom, has some (severe) security issues.
  • Whilst in this case the infected files were decrypted, there are no guarantees when dealing with criminals.
  • When attackers are already inside a company’s network, they might have the possibility to encrypt the files again later or cause even more serious damage and most likely will ask a much higher ransom then.

What went wrong?

The reason that they ended up paying the ransom is because they felt like they didn’t have another choice. It tells me that they don’t have Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) at all or at least that it’s not accurate. If they did have an accurate plan (which implies you test and improve it regularly), they would have known exactly what to do in case of a ransomware attack to quickly recover files and guarantee continuity of operations. Paying the ransom shouldn’t be one of the scenario’s on the table.

Allegedly they had no way of detecting the network intrusion and the resulting ransomware infection early on (before the real damage was done). Again a BCP could have covered this. It is more than just corrective controls, it is also about preventive and detective controls to prevent this kind of disastrous events from happening in the first place. Keep in mind that disaster recovery is much more expensive than the cost of preventive and detective controls.

As it seems, they didn’t install necessary patches. They got infected by SamSam ransomware. In early 2016 already, the FBI and DHS released a warning about SamSam and how to protect against it:

Considering what the CEO said, another problem is that they didn’t protect authorized user accounts sufficiently. He doesn’t even seem to know that an account can be secured with additional layers of protection.

Did they learn the right lesson?

I honestly doubt they learned the right lessons when I read the article and especially some of the things the CEO said.

He is quite confident that medical drama’s due to hacking only happen in TV shows.

However he might be right here that the criminals are not going to ask $20 million, the guy doesn’t seem to have a clue about the real — yes also life threatening — risks the poor security of medial devices poses.

Hopefully the medical devices in his hospital are on another, separated network that wasn’t intruded by the attackers, because if not, any of the medical devices can be compromised at this very moment. And often this is not very difficult because the medical devices run on very outdated operating systems and software.

And this one:

Pretty damn sure they price it right, cause they know how poor the security and the resulting cost of recovery (if this is even possible) in a lot of hospitals is. Do I hear the CEO thinking: “it’s a lot cheaper to pay the ransom than to invest in security and the next time we’ll pay the ransom again”? Or am I stretching it a bit too far?

And then there is the fact that the CEO doesn’t know that account security can be strengthened by multi-factor authentication. Which simply means that even when an attacker has the username or password he needs at least one other factor to authenticate. For instance by using something like this:

You could say, he’s the CEO, it’s not a big deal that he doesn’t know about particular security mechanisms or features. But this are the people that need to approve the security budget and that’s why it’s utmost important they understand that there can and NEEDS to be done and invested a lot more to better secure systems. Combine this with his “it only happens in TV shows” attitude and you know it will be hard to convince him.

But let’s hope I’m totally wrong and this incident is an eye-opener for them. At least they started to make some improvements.

Conclusion

This hospital is far from a isolated case, a lot of (healthcare) companies find themselves in a position where the only choice left is to pay criminals to get back in business. Of course as a company you don’t want this to happen. But when it happens it’s important to draw the right lessons. What worries me most in this particular case is the unawareness of (the CEO of) the company about both security risks and possible mitigations. I think the key to improve security is by increasing awareness about the real security and opterational risks in (all levels of) the organization.

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life