Last Updated Feb 20, 2016 10:24 AM EST
When Hollywood Presbyterian Medical Center revealed that it paid 40 bitcoins — roughly $17,000 — in ransom to hackers who essentially held the hospital’s computer system hostage, it marked a dangerous escalation in the high stakes surrounding ransomware.
Ransomware is exactly what it sounds like — malicious software used by hackers to block access to a computer system until a ransom is paid. It has become more common in recent years. The number of ransomware attacks increased from 100,000 in January 2013 to 600,000 by the end of that year, according to a 2014 report by antivirus software maker Symantec.
While the threat of ransomware isn’t exactly new, high-profile cases like this suggest the severity of an attack’s impact can be crushing, especially as hackers move from targeting individuals to bigger fish such as companies and major institutions like the hospital.
The hack itself is “a really simple three-step process,” explains Ryan Kalembar, senior vice president for cybersecurity strategy at Proofpoint. The hackers send what looks like a routine email, perhaps a bill or an invoice, with a file attached, often a Word document. “People click on that. They always click on it,” Kalembar told “CBS This Morning.” “And by clicking on that Word document, it pops up an ‘enable content’ yellow bar. And if you click on that, that is the final click and it is over. It begins to lock your files with a key that only the attackers and cyber criminals have.” At that point, the hackers send a demand for ransom.
“It started out with just individuals, like it would go after your hard drive or family pictures, and the warning would be, ‘These will be lost forever unless you pay me,'” Peter Tran, GM and senior director at the network security company RSA, told CBS News. “However, now the hackers’ demand to use bitcoin, this virtual currency that is unregulated and relatively untraceable — well, you look at it and you think, ‘It’s about time they started doing this.’ We’ve moved beyond leaving a suitcase of money dropped onto a park bench and moving into more sophisticated means of taking people’s information hostage and asking for money.”
One of the dangers that comes from hacking into a medical facility like Hollywood Presbyterian is that health data — everything from patient records to information that a surgeon may need in an operating room — is suddenly locked up, unable to be accessed until the money is transferred to the hacker, who then provides a digital key to decrypt it.
The personal danger to patients is obvious, and Tran stressed that this most recent attack specifically signifies that hackers have now “upped the ante” on ransomware’s magnitude.
“Medical devices now use data that traverses over the private cloud. In health care, now it’s all about how my medical device is going to transmit data from my provider to me, telling me how I’m doing, monitoring my health. It can be used in early prevention to tell me how my body is doing. Now, imagine if that information was held or locked up in ransomware, think of the disruption to health care systems,” Tran said.
Staff at Hollywood Presbyterian first noticed the disruption to their computer system on Feb. 5, the hospital’s CEO Allen Stefanek said. The problem was resolved and the computer system was fully functioning again 10 days later.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” Stefanek said in a statement.
“It was the easy choice. I wouldn’t say it was the right choice,” Kalembar said. “When you do pay this ransom, you’re funneling money potentially to organized crime. We’ve seen even terror groups finance their organizations by using operations like cyber crime and ransomware.”
“If they decided to pay the ransom, it probably means that they didn’t have very good backups, they weren’t able to recover the data, and that the data would have been lost if they didn’t pay the ransom,” Dave Kennedy, CEO of the information security firm TrustedSec, told CBS News.
According to a source familiar with the investigation, the hospital paid the ransom before contacting law enforcement, CBS News correspondent Carter Evans reported.
What kind of precedent does this set?
“It’s kind of like the hackers were saying, ‘OK, you guys are on the alert, you felt the burn, now you won’t know when it really hits,'” Tran said. “Something like this could hit the transportation system or the border control system, just imagine.”
Cybersecurity experts believe the first known ransomware incident dates back to 1989, and like this most recent hack, involved people’s health information. Online magazine Medium reports on the early case of how 20,000 software disks that were labeled as AIDS education software were distributed to 90 countries in December 1989. The software –which would be given the moniker “AIDS Trojan” — asked respondents to fill out the survey to determine how at-risk they were of contracting AIDS, and then once they rebooted their computers, they would find all of their files to be encrypted.
Straight out of a spy movie, the ransom came in the form of a note — users were told to turn on their printer, which shot out a demand for $189 to be sent to a P.O. box in Panama. Once the money was paid, the user would receive decryption software to retrieve their data.
Though today’s hackers may demand bitcoins rather than money via snail mail, the basic method of this kind of hack has stayed the same.
So, what can institutions do to safeguard against these kinds of attacks?
“Well, users will have to up the ante, as well, on the type of authentication systems they use to allow anyone to use their systems,” Tran stressed. “We are moving more towards risk-based profile authentication, layering authentication — not just multi-factor authentication.”
Such systems may flag when someone unknown is trying to access data — more secure profile authentication is not going to allow someone to enter an area of the network that they wouldn’t normally be able to access.
“They’ll say, ‘Why is he accessing the network in the U.K. when he’s based in New York? Something doesn’t make sense,'” Tran explained.
It can sometimes sound farcical to think of data — a series of numbers strung together — being held hostage. But the risk is real, and victims may feel like they have little option but to give in.
“With a person being held hostage, normally the negotiators are going to say ‘Don’t pay the ransom, don’t ever pay, wait for what they want and wear them down,'” Tran said. “With this kind of hack, you don’t have that kind of time. The complete footprint of your entire life is being held for ransom. All of your information.”