Security Experts:

Hollywood Hospital Pays $17,000 Ransom to Recover Files

The Hollywood Presbyterian Medical Center in Los Angeles has decided to pay a ransom demanded by a piece of ransomware that infected the organization’s computers earlier this month.

The hospital discovered the malware on its systems on February 5, when staff experienced difficulty in accessing the network. An investigation revealed that a piece of ransomware had encrypted files on some devices, which led to a disruption of the organization’s IT systems.

Law enforcement was notified and experts were called in to assist Hollywood Presbyterian with tracking down the source of the attack and restoring systems.

Initial reports said the ransomware demanded the payment of 9,000 Bitcoin (roughly $3.4 million), but, as expected, the information turned out to be inaccurate. Allen Stefanek, president and CEO of Hollywood Presbyterian, clarified on Wednesday that the cybercrooks demanded 40 Bitcoins, or roughly $17,000, which the hospital paid.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” Stefanek said.

“HPMC has restored its electronic medical record system (“EMR”) on Monday, February 15th. All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event,” he added.

Stefanek told NBC that this appeared to be a “random” attack, which raised questions about the reports that the attackers demanded 9,000 Bitcoins. In most ransomware attacks, cybercriminals demand hundreds of dollars worth of Bitcoin, although there are some variants that demand larger amounts and the ransom usually increases considerably if it’s not paid within 48 hours.

Most security experts advise against paying the ransom, but it’s clear that there are people and organizations that feel they have no other choice. An analysis conducted by the Cyber Threat Alliance last year showed that a cybercrime ring managed to make more than $300 million using the CryptoWall ransomware.

“Ransomware has become a lucrative business for underground malware writers. They're attempting to infect end users through multiple methods of attack, such as phishing, drive-by download scams and server vulnerabilities. The quick ‘monetization’ of ransomware scams is the reason for this new vector being exploited so heavily,” Rahul Kashyap, EVP and Chief Security Architect at Bromium, told SecurityWeek. “It is imperative that users do not pay ransom. Paying ransom is equivalent to funding attackers to launch more attacks in the future.”

The BBC reported last month that the Lincolnshire County Council in the UK was hit by a ransomware that demanded the payment of £1 million ($1.4 million) in return for the key needed to decrypt files. It later turned out that the ransom was just $500, which the council refused to pay.

Related: CryptoWall 4.0 Spreading via Angler Exploit Kit

Related: Show me the Money - Cybercriminals Hijack Online Resources to Boost Profits

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.