Alabama-based DCH Health System on Saturday revealed it had paid ransomware attackers for decryption keys to unlock data captured by malware at three hospitals.
The hospital network was attacked last week, along with a Victorian-based hospital group, which limited both healthcare service providers to offering emergency services.
The attacks preceded an alert from the FBI last week explicitly stating that it does not endorse paying ransomware attackers but still wants victims to report incidents to the agency if a ransom is paid.
According to security firm Bitdefender, the Alabama provider was affected by the notorious Ryuk ransomware. The Victoria healthcare providers are also reportedly victims of Ryuk. Neither organizations are alone in paying to resolve ransomware, but law enforcement agencies regularly remind potential victims that attackers don't always deliver decryption keys and the act of paying itself emboldens attackers.
DCH Health System said it had tested the purchased keys against multiple servers and confirmed they did work, but warned that systems would take some time to come back online and offered no date for when they would.
It worked with US law enforcement and infosec experts to launch a “methodical process of system restoration” .which also involved backups for systems that could be restored without the paid-for key.
“We have successfully completed a test decryption of multiple servers, and we are now executing a sequential plan to decrypt, test and bring systems online one-by-one,” DCH said in a statement.
“This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care. DCH has thousands of computer devices in its network, so this process will take time.”
DCH doesn’t know when the systems will be fully restored.
“This will require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go,” it said.
DCH hasn't said how much it paid the attackers. CSO Online has contact DCH for further details and will update the story if it receives a response.
Many of the recent local government victims of ransomware attacks were dealing with Ryuk infections. The targeted attacks on hospitals exploit the fact the organizations provide life-saving services and therefore could be more inclined to pay. At least one medical center in the US affected by ransomware was forced to close business due to the attack.
A new report from security firm Emisoft claims 79% of US government organizations affected by ransomware in the US were healthcare providers.
“Cybercriminals understand that healthcare providers are often more inclined to pay the ransom as failure to do so may result in data loss that could potentially put lives at risk,” Emisoft researchers noted.
A key determinant of whether a victim pays is the costs linked to systems that are no longer available. The most important mitigation step is the availability of fresh backups, which can be used to restore affected systems.