Kansas Hospital Hit by Ransomware, Extorted Twice

Cyber-attacks affecting healthcare facilities continue unabated as another hospital, the Kansas Heart Hospital in Wichita, Kansas, just became the latest healthcare institution to fall to a ransomware attack.

Hospital president Dr. Greg Duick told local news station KWCH12 that the attack occurred on the evening of May 18 when one of its employees reported losing access to hospital files that were locked until a ransom was paid.

Duick said that “a small amount” was paid, but the hackers did not return ‘full access’ to the files and instead demanded a second ransom, which the hospital did not pay. “The policy of the Kansas Heart Hospital, in conjunction with our consultants, felt this was no longer a wise maneuver or strategy,” Durick added.

It was noted that ransomware attacks are becoming so frequent that many healthcare service providers, including Kansas Heart Hospital, took out insurance policies to help cover the costs of cyber extortion. Duick also cited that over 45% of hospitals have been hit by some form of cyber-attack.

[Read: Ransomware 101: What, how, and why]

Ransomware works by locking the infected system or the files stored in it, to prevent access until a ransom is paid. Typically, victims get infected through socially engineered phishing attacks that carry malicious attachments or email content instructing its recipients to click URLs that download the malware to the computer. Locky, the ransomware variant that caused the Methodist Hospital in Kentucky to operate under an “internal state of emergency,” used a weaponized Microsoft Office document sent as an email attachment. It also led the Hollywood Presbyterian Medical Center in California to pay 40 bitcoins (around $17,000) to decrypt the infected computers across their network.

Users can also get their machines infected through malvertisements if they visit a compromised website that serves advertisements hosting the malware. PerezHilton.com, a celebrity news portal with 500,000 daily site visitors, was affected by a malvertising campaign that injected poisoned ads hosting the CryptXXX ransomware. CBS also exposed visitors to the same malware when it was identified that the websites of two of its affiliated TV stations were serving malicious ads containing an Angler exploit kit that downloads the ransomware.

Ransomware can also infect systems by exploiting vulnerabilities in applications and getting remote shell access to the server. The systems of Maryland-based MedStar Health was infected this way, causing the facility to to turn away patients and shut down its computers and email servers after being hit with SAMSAM ransomware.

[Read: What makes the Healthcare industry an ideal target?]

Healthcare facilities are seen as ideal targets for this type of extortion scheme because they rely on up-to-date information in order to provide critical care. Hospitals are presumed more likely to pay the ransom rather than risk a disruption of services and operations. In the case of the Kentucky hospital, it had to turn its computers back online one by one and temporarily processed everything on paper. Hollywood Presbyterian’s emergency medicine department was crippled to the point that it forced them to transfer patients to other hospitals.

This latest incident, however, perfectly illustrates the risk and incurred damage when deciding to pay a ransom. The FBI, seeing the alarming increase of cases involving ransomware, has issued an advisory for users and business not to pay the ransom.  FBI’s Cyber Division Assistant Director James Trainor cautioned, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Duick did not disclose the ransom amount paid and the ransomware variant involved due to the ongoing investigation, adding that the hospital’s IT team and security experts are working to restore the rest of the sytems. Duick also assured that the attack did not compromise patient care, saying, “patient information never was jeopardized and we took measures to make sure it wouldn't be.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.