Why an Indiana hospital chose to pay its ransomware attackers

When a ransomware attack hit Greenfield, Ind.-based Hancock Health Jan. 11, the hospital decided to pay the hackers to regain access to their files—which federal investigators have urged targets of these attacks not to do. Hancock president and CEO Steve Long, however, said it was the right decision because backup files had been compromised.

As Long explained in a blog post, the attackers were believed to be a “sophisticated criminal group” in Eastern Europe that used the login credentials of a IT hardware vendor for the hospital, not through the more common ransomware route of using phishing emails. They gained access to a server from its emergency backup facility to deliver malware known as “SamSam,” which encrypted the hospital’s data files.

“The attack on Hancock Health was not random, it was a pre-planned event that used the hacked login ID and password of an outside vendor to gain entrance into the system,” Long wrote. “The fact that this was a premeditated attack specifically targeted on a health care facility makes the attack indefensible in my estimation.”

As executives, attorneys, cybersecurity specialists and the Federal Bureau of Investigation (FBI) became involved early in the morning on Jan. 12, the source of the attack was discovered. Because the connection between the backup site and the hospital had been compromised, replacing the encrypted data with a backup wouldn’t have been easy, so the hospital decided to pay the attackers $55,000 in bitcoin to unlock the files.

Several days after coughing up the ransom, Long said the hospital learned backup files from systems other than health record themselves had been “purposefully and permanently corrupted by the hackers.” This means backing up the rest of its systems would’ve never been a possibility.

What followed, Long said, was an arduous weekend restoring the hospital’s computer systems and examining whether any patient data had been compromised. This included installing new software and hardware for additional threat detection, physically turning on the tens of thousands of computers in the hospital and then transferring 70 hours’ worth of paper records back into the restored system.

“Amazingly, all of this happened in less than four days,” Long wrote. “During that short time, babies were born at the hospital, surgeries were completed at the hospital, patients were treated in the emergency room and many were admitted to the hospital. X-rays were taken, CT and MRI scans recorded, and laboratory tests were accomplished at the hospital. Patients visited our physician clinics and wellness centers. Food was served in our cafeteria and rooms were cleaned. In short, life went on. We even had a winter storm, and still, life went on.”

While Hancock was able to get its files back, other facilities which decided to pay the ransom haven’t been so lucky. In 2016, Kansas Heart Hospital paid its ransomware attackers, who then refused to unlock the files without a second payment.

Paying the ransom may also encourage hackers to target more healthcare facilities or Hancock itself again, now it’s seen as willing to pay to regain its data.

“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” said James Trainor, former assistant director for the FBI’s cyber division. “And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”