On January 11th, Hancock Regional Hospital in Indiana discovered that their computers had been infected with SamSam ransomware, a malware variant which has existed since early 2016. The hospital decided to pay the four Bitcoin ransom in order to get their files decrypted, which was worth around $55,000 USD at the time.
I know what you must be thinking. “Here’s another institution which couldn’t recover from a cyberattack properly because they didn’t bother to keep backups!” No, they had backups.
Hancock Regional Hospital is the anchor of the Hancock Health network, with several facilities in the area east of Indianapolis. The Regional Hospital itself is in Greenfield, Indiana.
When hospital workers discovered the SamSam attack on January 11th, they engaged their incident response and crisis management plan and got their legal team and an outside cybersecurity firm involved. They also contacted the FBI’s cybercrime task force.
They had full backups of all of the data that SamSam encrypted.
Hancock Regional Hospital not only initiated effective incident response, they were properly prepared for such an event. They were also candid with the public in their press releases. From what I can see, they did absolutely everything right.
“We were in a very precarious situation at the time of the attack,” Hancock Health CEO Steve Long said. “With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”
Emails with malicious attachments are a common attack technique for ransomware campaigns, including SamSam specifically. But Hancock (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Kim Crawley. Read the original post at: Cylance Blog