Ransomware, the name given to a form of online extortion, is becoming a bigger threat in the United States. Last week, MedStar Health, which operates 10 hospitals and more than 250 out-patient clinics, posted on its website that a virus had caused a shutdown of some systems at its hospitals in Baltimore. The Baltimore Sun later reported, citing two anonymous sources that MedStar had become the latest victim of a ransomware attack.
Medstar comes on the heels of a string of other recent ransomware attacks on healthcare organizations. In February of this year, a ransomware attack hit the Hollywood Presbyterian Medical Center in California. Staff was forced to resort to paper record-keeping for a week and divert patients to other hospitals, according to local reports. The hospital eventually paid the attackers $17,000 to get access back to their own data. Two other hospitals in Southern California were also reportedly hit with similar ransomware last month, as was a Kentucky hospital, which declared an "internal state of emergency" after the attack.
There are many ransomware variants floating around the web. Generally speaking, ransomware is malware that encrypts a victim’s data, preventing access, and will then offer to unlock the system in exchange for payment, usually in Bitcoins. It can attack desktop computers, laptops, mobile phones, and core servers. Delivery methods vary and may involve social engineering schemes such as phishing e-mails or other tricks to get people to click on fraudulent links. If you are a victim of ransomware, in most cases a message reading something like this will appear on your screen: “This computer has been locked and will not be unlocked until payment in X amount is made by XX date.” The ransom note will often claim to be from the FBI, police or type of law enforcement agency.
Ransomware is rampant because the payoff for hackers can be huge. Until recently, the business model has been high-volume, low-dollar crimes with the average shakedown demand ranging from $100 to $5,000. The most lucrative attack to date is the CryptoLocker strain of ransomware which infected up to 250,000 systems and demanded an average $300 in ransom. While it is estimated that only 1.4% of the victims actually paid the ransom, extortionists behind the CryptoLocker attack netted over $30 million in just six months.
Low individual costs have made it easy for businesses to decide to simply pay the ransom but the Hollywood Presbyterian Medical Center attack illustrates that standard operating procedures have changed and the ante is going up. In that attack, the hackers demanded a $3.6 million ransom. After ten days of system downtime, the hospital surrendered and paid $17,000 to get its systems back up and running. While the amount paid is about 30 times as large as the prior average amount paid, the hospital likely viewed it as a bargain given the significant daily losses being incurred by the hospital in having its services disrupted.
Criminals have realized that the same ransomware that brings them many small-dollar paydays can also be used against larger organizations that can afford much larger payoffs. With the number of ransomware attacks predicted to increase in 2016, we can also expect to see an increase in more targeted attacks against organizations with significantly large demands. Higher demands make the decision about whether to pay up much more difficult. We will likely soon be reading about the repercussions suffered by victims who can't or refuse to pay.
With the increasing scope and severity of ransomware attacks, companies need to take measures to reduce the risks of an attack and have a response plan in place should they fall victim to one. If you have any questions about ransomware attacks or other information technology matters, please contact Janet Knaus at jknaus@wnj.com or 616.752.2150, Nate Steed at nsteed@wnj.com or 616.752.2723 or any other member of the Information Technology Transactions Group at Warner Norcross & Judd LLP.