How low can a ransomware attacker go?

The answer to that question is apparently a hospital, with news that computers at the Hollywood Presbyterian Medical Center have been taken offline following a ransomware attack.

According to reports, the people behind the hack have demanded 9,000 Bitcoin ($3.6 million) to return access to internal systems, which have now been inaccessible for over one week.

The attack has been declared an internal emergency, and the hospital’s emergency room systems have been sporadically impacted by the malware, although the hospital itself is claiming that medical records have not been compromised.

Although no one is believed to have died due to the attack, some patients are said to have been transported to other hospitals due to the incident as vital systems needed for patient care, including CT scans, documentation, lab work and pharmacy needs are inaccessible.

Doctors and medical staff have resorted to telephone calls, fax machines, and keeping paper records, and patients are being told they must travel to pick up medical test results in person rather than receive them electronically.

The Federal Beueu of Investigation (FBI), Los Angeles Police, and computer forensics experience hired by the hospital are investigating the attack, although rather strangely at this stage are claiming that the attack itself was random versus being specifically targeted at the facility.

Life & Death

Ransomware is certainly not a new menace and there have been no shortage of attacks demanding Bitcoin payments of late, but attacking a hospital is something beyond the pale.

The type of Ransomware responsible for shutting down the hospital remains unknown, but you’d put money on it being a recent variant of Cryptowall given the systems remain down for over a week.

Cryptowall 3.0 was reported by the Cyber Threat Alliance in November as raking in increasingly large amounts of funds due to its insidious, and difficult to counter takeover of systems that perform several evasive actions to avoid detection once they are in a system.

There have been efforts to track down those using Cryptowall previously, with many previous attacks believed to originate from a single entity that operates out Armenia, Belarus, Iran, Kazakhstan, Russia, Serbia and Ukraine, but with a hospital now being attacked perhaps authorities will step up their efforts to counter these attacks, given it’s no longer a case of people’s financial well being at stake, but their actual life and death.

Image credit: toolshed4/Flickr/CC by 2.0