Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Crime Bitcoin Security The Almighty Buck IT

L.A. Hospital Pays Off Ransomware Thieves To Reclaim Its Network ( 159

Los Angeles' Presbyterian Medical Center, the target of a successful ransomware attack (successful from the thieves' point of view, that is) has buckled under: to regain control of its network, the hospital has paid a 40-bitcoin ransom (about $17,000) to the gang responsible. That, at least, is a far cry from the much higher ransom widely reported to have been initially demanded: 9,000 bitcoin. (That would have meant a payment of $3.6-3.9 million.)
This discussion has been archived. No new comments can be posted.

L.A. Hospital Pays Off Ransomware Thieves To Reclaim Its Network

Comments Filter:
  • Preeeecious (Score:4, Insightful)

    by Tablizer ( 95088 ) on Thursday February 18, 2016 @12:38AM (#51532557) Journal

    They fed the trolls.

  • Cheaper to pay than to fix it themselves. Yes?

    • Re:At that price... (Score:4, Informative)

      by Harlequin80 ( 1671040 ) on Thursday February 18, 2016 @12:50AM (#51532589)

      By an absolute mile. At $17,000 you would just pay it straight away. They would have lost far more as a result of the systems being offline, and assuming the ransomware had got itself all through they systems it would have been orders of magnitude more to clean the system if it was even possible.

      • by Jeremi ( 14640 ) on Thursday February 18, 2016 @01:10AM (#51532651) Homepage

        Of course, this does assume that the ransomers won't come back and ask for more money next week.

      • Re:At that price... (Score:5, Informative)

        by MtHuurne ( 602934 ) on Thursday February 18, 2016 @01:10AM (#51532653) Homepage

        It's a short-sighted solution though. Their systems are still vulnerable, probably even still infected. And they validated the business model of the attackers, so more attacks will be coming.

        Also, while the CEO insists that hospital records were not compromised, I'm reading that as "the attackers weren't interested in hospital records", not "the hospital records were safe".

        • by Harlequin80 ( 1671040 ) on Thursday February 18, 2016 @01:26AM (#51532713)

          Short sighted from an industry view, probably not from the hospitals view. You would hope they have air gapped their network from the internet at this stage while they reappraise their security and plug holes. From my understanding the ransomware attackers don't normally attack the same target twice as you are less likely to pay up if you think it will happen again. So this should protect them from the current infection.

          It also wouldn't surprise me if patient records were untouched. Those are probably behind higher levels of security than the rest of the network. What I suspect happened is they lost a way of accessing them because all their other systems went down.

          • It also wouldn't surprise me if patient records were untouched. Those are probably behind higher levels of security than the rest of the network. What I suspect happened is they lost a way of accessing them because all their other systems went down.

            If they were accessing the patient records from compromised systems, then the patient records were not safe, even if the records server itself wasn't infected.

            • Not necessarily at all. If you access the patient records via a citrix system for example there would be no reason to believe the patient records were compromised just because the host machine was. This can also be extended to applications that communicate with a database server. There is nothing that prevents that being encrypted every step of the way.

              The only way would be via screenshots and your data rate would be terrible.

              • If such a remote desktop is authenticated via password, a key logger on the compromised machine could capture it. That combined with the records system being accessible from the compromised network means the attackers could start their own remote desktop session to the records system.

                • NO WAY! You mean that if I compromise a system with access to ANOTHER system, that I can compromise the second system?!?!?

                  That's fucking magic! ...Or so i am led to believe...

                • Yeah, I would imagine that expiring all passwords would be the standard action here.
              • And given that it's ransomware it doesn't have to include a back door component. It might even be smarter not to include a back door as it gives fewer traces back to the exploiter for the authorities to follow.

                The software just has to get onto a machine, even if air-gapped, and encrypt files and then prompt the user to contact some address for the key to decrypt the files.

                So even if the patient data isn't encrypted it is quite possible that no data left the hospital network.

            • by KGIII ( 973947 )

              It's true that that's a good assumption to make but there's no real way to know if they had anything with a greater complexity than simply encrypting via remote. I've actually seen/read some of the malware that is out there - it was actually up on GitHub and at PasteBin. I can't actually say, for certain, what it was but it is pretty simple. It's not nearly as complicated as one might think - and it doesn't actually do anything more then just encrypt.

              Basically, the two samples that I've seen did this:

              Get at

          • Not likely the internet is used for insurance verification, patient record requests, remote data access for physicians at their offices and billing. There's certainly a bunch of other things that aren't on the top of my head.

          • by edis ( 266347 )

            And there are only those attackers, naturally. No others will be informed where to find those, who are willing to pay, and what to do for that.
            So, they just integrated terrorism into their business as usual. What perspectives this does actually open?

          • From my understanding the ransomware attackers don't normally attack the same target twice as you are less likely to pay up if you think it will happen again. So this should protect them from the current infection

            The same ones may not come back but I can guarantee their competition has recognized an easy mark. Expect bible salesmen any minute!

      • by Anonymous Coward

        $17,000 isn't that what the average US hospital charges for a roll of toilet paper?

        • by Maritz ( 1829006 )
          That's the per-sheet rate. Can believe you thought you'd get a whole roll just for that. The very idea, LOL !!!
          • by Salgak1 ( 20136 )
            You forgot to roll in the per-sheet delivery, handling, installation, and disposal fees. Plus environmental fees for hazardous biowaste disposal. That would get us back to the original US$9 million. . .
    • Unfortunately, it is cheaper. It's not just the cost, the medical staff can't do much to admit or treat patients without the electronic medical record system. They have patients waiting for surgery, procedures, med orders, etc.

      It's also unfortunate because it creates a precedent. It's a no-win situation for that hospital.

  • by xxxJonBoyxxx ( 565205 ) on Thursday February 18, 2016 @12:42AM (#51532567)

    >> the hospital has paid a 40-bitcoin ransom (about $17,000)

    That's about 340 tablets of hospital aspirin or 680 hospital bandaids for those counting at home.

    • by Rinikusu ( 28164 ) on Thursday February 18, 2016 @12:49AM (#51532585)

      17 of those Shkreli specials.

    • by ZipK ( 1051658 )

      That's about 340 tablets of hospital aspirin or 680 hospital bandaids for those counting at home.

      At the negotiated Medicare discount price.

      • by mwvdlee ( 775178 )

        Never to worry; when Trump the Magnificent Negotiator comes to power, he'll negotiate those prices down to no medicare system at all.
        He'll build a wall around hospitals and let poor people pay for it.

    • Or in Canada, assuming a $17K USD value of 23217.75 Canadian Dollars and a retail price of $12.99 [] for 200 tablets of regular strength Aspirin (without taxes), that's about 1787 boxes x 200 tablets = 357400 tablets.

      • Or in the UK, assuming $17K USD is £11,873.30 ( conversion) - that's 400,545 tablets at retail prices in our local supermarket.

      • It takes a special talent to miss the point so completely.

        While it is true you can buy aspirin over the counter for a fraction of a penny per pill, that is not the same price you will be billed if you are hospitalized in the US and a nurse gives you the exact same aspirin. OP suggested, perhaps tongue-in-cheek, a price of $50 USD per pill. That's only about twice as much as reported here. []

        In L.A. I would not be surprised if they charge $50 per aspirin.

        • Not my fault if you live in a you're-poor-so-you're-going-to-die country.

          In real countries, health care is free and everyone is billed a small amount.

        • by nbauman ( 624611 )

          It's one thing to go into CVS and take a bottle of aspirin off a shelf next to all the other OTC remedies.

          It's something else again to go into a hospital pharmacy and take a bottle of aspirin off a shelf next to a lot of drugs that could kill you.

          At my own hospital, in 2013 we gave a teenager a 39-fold overdose of a common antibiotic. The initial glitch was innocent enough: A doctor failed to recognize that a screen was set on âoemilligrams per kilogramâ rather th

    • the hospital has paid a 40-bitcoin ransom (about $17,000)

      That's about 340 tablets of hospital aspirin or 680 hospital bandaids for those counting at home.

      What you're saying seems to imply a really interesting price structure: 340 Aspirin tablets for $17000? Or are we talking about a seriouosly hefty kind of portable computing device called 'Aspirin'?

    • That's about 340 tablets of hospital aspirin or 680 hospital bandaids for those counting at home.

      Can you convert that to Danegeld?

  • by JoeMerchant ( 803320 ) on Thursday February 18, 2016 @12:49AM (#51532587)

    And, can the FBI monitor the blockchain to get IP addresses where these coins were accessed from when the hospital handed them over?

    • by Time_Ngler ( 564671 ) on Thursday February 18, 2016 @12:58AM (#51532613)
      Only if they can get the courts to force a silicon valley company to do it for them
    • The perps are most likely under the personal protection of Putin. Good luck extraditing them.

    • Bitcoin doesn't work like that. Maybe if you had an omnipotent view of the whole internet to see where a transaction actually originated from. But even then it's trivial to just use Tor.

      • With the omnipotent view, Tor doesn't work either - and there are few enough Tor nodes that it would not be surprising for most of them to be monitored and recorded.

        The Bitcoin blockchain is inherently public knowledge - key component of how the system works. If you want to do a transaction, you have to interact with the blockchain - infact, if you want to "act normal and blend in" you advertise your proposed transaction publicly. The coins paid as ransom are known to the persons who gave them away... onl

    • That's not how anything related to bitcoin works.

  • Now What? (Score:4, Funny)

    by Irate Engineer ( 2814313 ) on Thursday February 18, 2016 @12:52AM (#51532595)

    I'm sure that they are going to take the $3.6 million that they didn't have to pay during this episode and devote that to upgrading and securing their systems to prevent the possibility of future attacks like this. That would be the smart thing to do.


    • Re:Now What? (Score:4, Insightful)

      by aaarrrgggh ( 9205 ) on Thursday February 18, 2016 @01:07AM (#51532641)

      Unfortunately, that is only $8k per bed, or likely around $800/employee. Hell, it is really only two FTEs for the next 5 years...

      A grossly flawed system is much more expensive to fix than that. Maybe they could afford a backup system that is resistant to bitlocker though...

    • Re:Now What? (Score:5, Informative)

      by Shadow99_1 ( 86250 ) <theshadow99@g[ ] ['mai' in gap]> on Thursday February 18, 2016 @01:09AM (#51532647)

      lol, I've seen some major hospitals that have 2 entire IT people on staff (an admin and an assistant)... I applied for a network admin position at a hospital with 2 IT employees (though I didn't know that until the interview) for 400 employees and well over 300 connected systems (from tablets doctor's used, to connected hardware, routers, and servers of various types, as well as dedicated workstations for nurses). They also used highly specialized systems that were extremely complex. Oh and did I mention satellite officers for doctor's that are part of their network, but not onsite? Yeah... Huge mess there.

      Because obviously all this tech in a modern hospital can just work on it's own. No one ever wants to keep enough IT staff on hand to deal with regular maintenance because that would take away from executive bonuses. Hospitals are not any different, even as they are required to push further into the digital realm. This is the direct result. Oh and they don't even usually pay that well. Heck I think half the interviews I've had with companies lately are just to 'prove' a native worker wasn't 'qualified' to do the job even though my resume is solid. Good luck to the sucker form India getting those jobs.

      • What Shadow99_1 says is on the mark. Plus note that the medical field almost always uses Windows and I don't have to tell people here the security "fun" that decision leads to. The medical field in general doesn't understand much about IT and I get the impression that the very few IT providers there do a pretty crappy job in general with their Windows-centric solutions. The idea that this hospital would now do serious work to tighten up their security is just laughable. I'm 99% sure that going forward t
        • by ai4px ( 1244212 )
          I work in a major paper manufacturer. We had a small UNIX box that translated between two machines speaking different protocols for process control. The box was obsolete, so they hired a vendor to replace it. The vendor installed Linux on a modern PC and moved the code over. The corporate IT department's policy was that all boxes on the network must be windows and run A/V. So the vendor installed CYGWIN on top of windows. Several months later, Norton AV did an update and suddenly began a scan at 6am o
    • Haven't you watched Mr. Robot? Next one will be a prison.
    • All they needed was a proper backup and they could've just restored all the encrypted files without paying a cent.
  • Backups? (Score:5, Informative)

    by Anonymous Coward on Thursday February 18, 2016 @01:02AM (#51532625)

    Good god, doesn't anyone keep backups anymore?

    • Re:Backups? (Score:4, Interesting)

      by gavron ( 1300111 ) on Thursday February 18, 2016 @01:07AM (#51532643)

      Yes. I have backups. You have backups. You're modded down to 0 for a perfectly reasonable question.
      I'm sure I'll soon join you.

      Meanwhile the dipshits that run public hospitals DON'T have a usable backup strategy, pay trolls ransom,
      and the new slasdhdot posts it as if it's big news.

      Big news would be if someone actually had a backup and DIDN'T pay the ransom... or if they got LEOs
      to actually FIND the bad guys. Paying ransom... heck, even the LEOs pay ransom. []


      • Ironically, people keeping backups are the most safety-aware people, so the ones less likely to need them for cases like this.
        • by edis ( 266347 )

          There is no simplified mapping between my awareness and danger-exposed user end. We had recently ransomware visit, too. Hi, Russia!
          One should not feed terrorist at any cost.

          • I think the mapping is more evident at the lower end ot the user's spectrum, like people not keeping their systems up-to-date, not telling a ".pdf" from a ".pdf.exe", installing that "download manager" from that cool streaming site, etc, etc
            • by edis ( 266347 )

              You see, everyone is using computers nowadays. Everyone. Which means, that you are actually dealing with the whole spectrum of users, that's given. As an IT administrator, I am given that given, too. Of course, there are some users that are not able to handle one challenge or another, or nearly any sometimes.
              It's us, IT guys, who keep backups for those users (well, best of us do). There is no good mapping in that structure, if it is mature enough to be of structured kind.

      • by Max_W ( 812974 )
        If it was an insider job, then even backups would not help.

        IT guys sit in a small room in a cellar, but more and more it is them who actually run things.
      • Re:Backups? (Score:5, Interesting)

        by Solandri ( 704621 ) on Thursday February 18, 2016 @04:31AM (#51533171)
        A friend of mine runs a multi-million dollar construction supply company and her work computer got hit with a ransomware virus. As she is manager/accountant, it was pretty serious. Fortunately she had a competent IT staff which regularly backed up her system . So they just pulled her computer offline (so it couldn't spread to other systems), and restored everything to a new computer (this is why companies like to buy a bunch of identical Dell systems). And she was back in business the next day.

        Except for one file which she had been working on the day the ransomware hit, and thus hadn't been backed up. As it turned out, the ransomware authors had programmed it to allow the victim to decrypt one file - to prove that it could in fact be decrypted, and hadn't just been deleted. So she of course chose that file to decrypt, and ended up with no data loss. The only loss was she couldn't work for a day.

        That's why you never hear stories of competent IT saving the day. When they do, it's a non-event about as serious as someone calling in sick for a day. It's only when they fail that the problem becomes serious enough to be news-worthy.
        • by edis ( 266347 )

          Not quite so, you oversimplify on your modest experience. Backup storage has limits. Information tends to ever grow. I intentionally skip large multimedia files, like collection of pictures from company parties, for example, from backing - to have vital things on backup media. Thus, when ransomware hits, and you have network share content completely encrypted, you still have stuff to sort, and keep all the share users off bay, until situation is investigated and put back under (some) control. While people r

          • Anyone who has over 1GB of "valuable business information" is either archiving video, or doing it wrong. The age old strategy of hourly backups for 24 hours, daily backups for a week, weekly backups for a month, monthly backups for a year, and annual backups beyond 12 months only requires 45x the storage space of the original, and backups can be compressed.

            A $99 2TB drive should be able to easily store 25GB of valuable data, backed up hourly - for all the hours that matter to anyone.

            • by edis ( 266347 )

              When you have reality client with the mission on profit, who does not want to spend on new backup equipment before seeing old one definitely die, does not want to spend on outsourced services beyond the utmost necessity, but naturally has ever growing set of files - you have reality looking into your face for some reasonable choices. Then you do the best, you can, but it is not dream come true.

              • Clients who waste breath about whether or not $99 is "worthwhile" to spend to safeguard their data deserve what they lose.

        • by Anonymous Coward

          (this is why companies like to buy a bunch of identical Dell systems)

          I used to work for a small company of around 100 people, mostly engineers. IT would buy every single person a laptop (90 % of them were identical) with a 3-4 year warranty. Those warranties are like $800 and the computers are like $3000 tops. When an engineer had a hardware problem, they would be without their computer for like a week minimum (usually, they would get some ancient loaner, and it could be a few days labor to even update a computer to work with all the different systems anyway).

          Why they didn't

        • And in case anyone is wondering, no she didn't get the ransomware by clicking on some random email attachment. One of the sales staff got it first, and the ransomware spread itself by using his email to spam people in his address book. She thought she was opening a report sent by one of her salesmen. The employee was honest enough to tell IT about it soon after he realized what was happening, and they got the word out to everyone not to open any email attachments. They managed to stop it at only four co
      • Here's the key:

        usable backup strategy

        I'd be willing to bet they _thought_ they had one and just got showned how inadequate it is. Of course, patient care was not compromised - that would make them (relatively more) vulnerable to lawsuit from all the bad outcomes that happened during the service outage...

      • Re:Backups? (Score:4, Informative)

        by Chris Mattern ( 191822 ) on Thursday February 18, 2016 @11:10AM (#51534539)

        A common strategy here is to encrypt to files, insert a transparent decryption layer, and then wait a few months before yanking the decryption. Backups are no good because they're encrypted too.

      • Yes. I have backups. You have backups. You're modded down to 0 for a perfectly reasonable question.

        Anonymous Cowards start at 0. There are no negative mods whatsoever on the grandparent post.

    • up to the minute backups? or nightly / weekly? how much data are we happy to lose here in a hospital? e.g. Mr Jones has had his chemo on Monday, but the db says he hasn't!
  • Just for shit and giggles I'd like to see someone ask a ransom of 1 million Dogecoins instead.

    • Re: (Score:2, Funny)

      by Anonymous Coward


      Your post has just been encrypted with an unbreakable MD5 algorithm! Only I have a the key!
      Pay me 1 million Dogecoins to get your post back! My address is DHrB6mgSAgwGiKw3YKn2VrN9PPq3bbHCFx

      Such ransom
      Many encryptions

  • by davidwr ( 791652 ) on Thursday February 18, 2016 @02:02AM (#51532809) Homepage Journal

    ... is for someone to figure out an efficient way of tracing the full transaction history of any given "coin." Yes, I know that "in theory" it's do-able but it's just plain not feasible right now.

    Yes, I know BC "coins" as such don't have a history, but transactions do. If a coin is the "output" of a transaction then its "parent coins" are all the coins that went into the transaction, in proportion to each other. Yes, you can "launder money" but all that does is "spread the dirt around" resulting in "slightly dirty" BC that are considered only as fractionally valuable as their "clean" fraction.

    For example, if a ransomware victim, in cooperation with the police, pays 40BC to crooks, the crooks will of course launder the money immediately, probably several times over. As soon as the keys are recovered and there is no more danger of the crooks "getting revenge," the police issue a notice that all BC whose "transaction history" included this transaction are "tainted by the dirty transaction."

    At this point, reputable companies who trust that particular police authority will only accept "tainted money" based on the "clean" portion of its value. Those who happen to be stuck with the "dirty money" are pretty much out of luck, in much the same way that I am out of luck if a store clerk accepts a very good counterfeit $5 bill from a crook then later innocently hands it to me in change later that day.

    Yes, this setup has many flaws, but it's better than the status quo. Some obvious flaws include:
    * it's currently not feasible
    * there are many police authorities, and people trust them to different degrees, so the BC in your wallet may have a different value depending on who you want to do business with.
    * Whoever has coins "descended" from tainted coins at the time they are announced as tainted will be stuck with the loss
    * There is no built-in appeal for a police authority declaring a particular transaction "illegal" and declaring the coins received in that transaction "tainted". The only deterrent is that if a given police authority gets too sloppy or too abusive, fewer and fewer people will honor its declarations.
    * There are no doubt other flaws, this is just the ones that came to mind immediately.

    Of course, the real solution to ransomware is backups, backups, backups, but we all know that's not going to happen any time soon. Sigh.

    • The basic problem with tracing bitcoin is that you get to make up your own version of the "government issued ID number" that most banks require, combined with the fact that - even though there are far fewer BTC exchanges than places to trade cash or cash equivalents, they are located in virtually every jurisdiction and non-extradition zone on the planet and inherently accessible within a fraction of a second from anywhere else on the planet.

      As you imply above, any legal crackdown on how BTC operates will re

  • The true business model of the Internet of Things.
  • Is it just me or has Slashdot been recovering news in a timely fashion lately?

  • What a bunch of selfish, moronic, incompetent, irresponsible assholes. It should be a federal law that is it completely illegal to pay any sort of ransom of this sort.
  • If you need your PHB to approve the funds for a project like this, point him to this article, and to: Harvard Business Review, Oct 2009, page 38.

    Then tell him that almost 7 years later, the CIO/CISO from the hollywood hospital did not learn the lesson, and got eggfaced, would you, my dear PHB would like the same? no? Then approve project and funds!!!!

  • I'm willing to bet that these were windows machines - and probably woefully out of date.

    I wonder just how many hospitals are still running windows XP or some other relic thinking it will save them money.

    Maybe the California Department of Health needs to start auditing hospital networks?

  • I hope they find these scum, take everything they own (it was involved in a felony), and gets each of them 20 years with no parole.

    They're almost on par with the scum who cracked Goodwill, and stole customers' card info....


  • $17,000 for a hospital? A school district in Myrtle Beach SC was hit up for $8,000. For organizations this size, it is a small amount of money. So I have to ask: Is this priced low to scare management into doing what IT has been asking for, or is it simply priced low so they'll just pay up?

    My gut tells me this is likely a white hat thing.

Information is the inverse of entropy.