True North Networks Blog
How cybercriminals hold data hostage... and why the best solution is often paying a ransom
Targets have included hospitals and municipalities, but the FBI says anyone on the internet should expect to be attacked by cybercriminals
This past week Cleveland's airport began to recover from a computer attack that took down its flight information, baggage displays, and its email. The FBI says it was another ransomware attack on a sensitive government network. Ransomware locks up a victim's files until a ransom is paid. More and more, critical public service networks are the targets. Before Cleveland, the city governments of Newark, Atlanta and Sarasota were hit and San Francisco's transit authority; the Colorado Department of Transportation and the Port of San Diego. Today, 26 percent of cities and counties say they fend off an attack on their networks every hour. Perhaps even worse, dozens of hospitals have been held hostage across the country.
In January 2018, the night shift at Hancock Regional Hospital watched its computers crash with deepest apologies. The 100-bed facility in the suburbs of Indianapolis got its CEO, Steve Long, out of bed.
Steve Long: We had never been through this before. And it's something that I read in the journals. And I say, "Oh, those poor folks. I'm glad that's never going to happen to us." But when you come in and you see that the files on your computer have been renamed and all of the files were renamed either "we apologize for files" or "we're sorry." And there was a moment when I thought, "Well, maybe they're not so bad. They said they were sorry." But, in fact, they had encrypted every file that we had on our computers and on the network.
Long told 911 to divert emergency patients to a hospital 20 miles away. His staff turned to pen and paper. Nothing electronic could be trusted.
Steve Long: This is a ransomware, so this is a virus that has gotten into the computer system. "Would it have the ability to jump to a piece of clinical equipment? Could it jump to an IV pump? Could it jump to a ventilator? We needed a little time just to make sure about that."
But time was a luxury not offered in the ransom demand.
Steve Long: "Your network has been encrypted. If you would like to purchase the decryption keys, you have seven days to do so or your network files will be permanently deleted." And then it gave us the amount that we would need to pay to get that back.
Scott Pelley: And that came to?
Steve Long: About $55,000.
That was the same price demanded of the city of Leeds, Alabama, three weeks after Hancock Hospital. Mayor David Miller was surprised his town of 12,000 would be a target; not much to notice in Leeds, at least not since Charles Barkley graduated from the high school.
David Miller: I didn't know that this malware attack was actually a ransomware attack. As soon as we found that out, that took it to a little different level.
Scott Pelley: How do you mean?
David Miller: Well, it was going to cost us some money.
Like the hospital, the city of Leeds was cast back into the age of paper: no email, no access to its personnel files or financial systems.
Scott Pelley: Can all companies and local governments expect to be attacked?
Mike Christman: I think everyone should expect to be attacked.
The FBI's Mike Christman says cybercrooks know governments and hospitals are likely to pay because they can't afford not to. Until his recent promotion, Christman was in charge of the FBI's cybercrime unit.
Scott Pelley: You're waiting for the day that somebody says, "We have the 911 system held hostage in a major city and we need $10 million today"?
Mike Christman: I hope that day never comes, but I think we should prepare for that possibility.
Christman says in 2017, 1,700 successful ransomware attacks were reported but he figures that's less than half. Most businesses, he says, would rather pay than admit they were hacked.
Mike Christman: I'm aware of one ransomware variant that affected all 50 states that had some $30 million in losses, and over $6 million in ransom payments. I would tell you that the losses are very significant, and easily approach a hundred million dollars or more just in the United States.
That ransomware variant he's talking about is the one that held Hancock Hospital hostage. It's called "SamSam" after one of its file names. Experts told Steve Long "SamSam" is unbreakable.
Steve Long: There was nothing that we could do to unlock those files. Our only choice was to wipe the system and hope that we had backups or to purchase the decryption keys.
Scott Pelley: To pay the ransom.
Steve Long: Indeed. That is exactly what that means.