When Ransomware Hits Healthcare: To Pay or Not to Pay?

A new report from theat intelligence firm Flashpoint highlights dark web discussion over targeting hospitals with ransomware – and demonstrates a surprising contrast in opinion. Not all criminals agree with the concept. The problem is it takes only one to disagree.

Following the successful ransom of the Hollywood Presbyterian Medical Center (HPMC) for $17,000, the subject was discussed extensively on the criminal forums. Flashpoint notes that many Eastern European cyber criminals reacted coldly. “One highly reputable member of a Russian cybercrime forum,” states the report, “expressed his frustration, writing: ‘From the bottom of my heart I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with it [the malware].’”

Another said, “Dirt bags, the move is completely unethical. Do not touch hospitals!”

The Hollywood hospital attack marked a new development in ransomware. Before that time the preferred attack methodology had predominantly been large-scale infections via spam campaigns demanding anything between $250 and $500. This one had to be different. “The price is set prior to malware deployment and can generally not be altered once installed. In other words, extorting a hospital for such an astronomical sum suggests a purposeful and targeted attack against this specific victim.”

This was probably a natural extension of the growing practice of hacking healthcare and stealing patient information. It simply required one criminal to guess that taking control of all the data would be more profitable than simply exfiltrating patient data. While many criminals have denounced the attack, others are using it to promote their own ransomware. 

“Hacker holds Hollywood Hospital to ransom for $3.6 million in Bitcoin in Ransomware Cyber Attack,” wrote one hacker calling himself the BitcoinBlackmailer. “What if you was that hacker? I bet he was just a 16 years old kid in the right place at the right time. Just like you are now…”

The danger is that targeted attacks against specific companies across all industry sectors will now increase. “While certainly ransomware is applied indiscriminately across industries and individuals,” reports Flashpoint, “a shift in criminal business tactics recognizing that access to the data can be more valuable than the data itself exposes corporations more broadly to this type of threat.”

Official advice from law enforcement agencies is that ransoms should not be paid. There is growing evidence that payment doesn’t always result in release of the data. Nevertheless, law enforcement accepts that infected companies have to make their own judgment based on their own circumstances.

SecurityWeek knows of at least one CISO in the healthcare industry who refuses to rule out paying a ransom. Though saying he would personally not wish to pay the criminals, he suggests that his hands might be tied by legal requirements. His company provides services to others in the health industry, and all of the services have associated SLAs. Since security is a risk management process, he fears that legal costs for breaking the SLAs could dwarf the cost of the ransom – and risk management principles would require him to pay.