Ransomware Extortionists Land $17,000 in Bitcoin
A cyberattack targeting a Hollywood hospital laced with ransomware malware has been making rounds in mainstream news circles recently. In a separate incident, the Horry County school system in North Carolina was also struck by a ransomware cyberattack.
The cyberattack on Hollywood Presbyterian Medical Center lasted nearly a fortnight after beginning on 5 Feb, with hospital systems affected and staff declaring an ‘internal emergency’. On Wednesday, the hospital announced that it had relented and paid the ransom demanded by extortionists. $17,000 in bitcoins.
The attack began on the evening of February 5th, when hospital staff started noticing issues in their attempts to access the hospital’s computer network. The Hospital’s in-house IT department were able to determine that a malware attack was putting the blockade on access to the hospital’s computer network.
The authorities – the Los Angeles Police Department and the FBI – were quickly notified. Computer forensics experts were quickly summoned to try and fix the malware, to no avail.
Various parts of the hospital, including essential systems supporting lab work, the pharmacy and CT scans among other departments were fundamentally inoperable. Electronic communications between doctors and the hospital staff came to a standstill. As a result, hospital staff had to rely on telephones and fax machines, while new patient registrations were logged on paper.
Similarly, a ransomware cyberattack struck the Horry County school system in North Carolina last week. The malware was discovered last Monday, according to local news outlet WNCN . Up to 25 servers are still currently encrypted after recovery efforts and administrators of the school system have sanctioned the payment of ransom up to $8,500. The extortionists have demanded the ransom to be paid in Bitcoins.
Ruing Ransomware
The malware deployed was a variant of ransomware which typically targets Windows machines. Ransomware has been around for more than a decade, annoying victims by locking down their keyboards and computer peripherals, even the entire computer. These days, malware authors are sophisticated in their means to infect machines by encrypting a targeted system’s files, using the ransomware malware.
Once encrypted, the decrypted key is promised to the targeted victim who is in a spot if a proper backup scheduling habit isn’t in place. The decrypted key, is eventually given to the victim, after a ransom is paid.
Ransomware is typically spread through phishing campaigns and malicious emails targeting computers in a network. Once triggered, the malware can spread rapidly to other computers on the same network.
A recent report put together by prominent security firms including Symantec, Intel Security and Palo Alto Networks revealed the lucrative haul behind a successful ransomware campaign. The most prominent ransomware of them all – Cryptowall is said to have infected millions of computers around the world, extorting hundreds of thousands of victims along the way.
Leading up to October in 2015, estimates peg extortionists raking in an estimated $325 million in bitcoin from victims around the world, in a ten month period.
Interesting footnotes from the report include:
- BTC taken from victims was taken in by a large network of bitcoin wallets.
- Initial wallets were set up on the TOR network and advertised through ransom pay sites hosted on the network.
- The ransom pay websites were activated when a victim was caught. Upon discovery by law enforcement, the wallet would be replaced by another wallet rotated in and embedded onto websites that direct victims to pay up.
- When a ransom demand turns up, the developers would transfer the funds out of the initial wallet to break it into a 70/30 split between several second, third, fourth and fifth layers of bitcoin wallets before eventually funneling the amount to the final wallet.
Bitcoin Ransom: Cheaper than Cybersecurity
As it turns out, paying the ransom in exchange for the decryption key is cheaper and quicker than costs incurred for a comprehensive restoration of an infected computer network, by cybersecurity professionals.
In a memo [PDF], President and CEO of the hospital, Allen Stefanek stated:
The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.
He also disclosed the amount of ransom requested and paid was 40 bitcoins, equivalent to approx. $17,000.
Similarly, public information officer Teal Harding, representing Horry County Schools revealed:
The size of this system and the amount of overtime that’s having to be paid to the technicians working 20 hours a day way surpasses $8,500.
Although the ransom payments will set a dangerous precedent with the next ransomware attack an inevitability, just like their payment method of choosing with Bitcoin, the FBI’s general advice to ransomware victims is to pay the ransom .
Joseph Bonavolonta, assistant special agent at FBI’s CYBER and counterintelligence program explained:
The ransomware is that good. To be honest, we often advise people just to pay the ransom.
Whatever happened to data backups?
Featured image from Shutterstock.
