Alabama health system pays hackers responsible for ransomware attack as FBI warns more to come

Alabama-based DCH Health System made a payment to hackers behind a ransomware attack that disrupted operations at three hospitals in the past week.

In collaboration with law enforcement and independent IT security experts, health system officials said they began a methodical process of system restoration, organization officials said in a statement posted on the health system's website Oct. 5.

"We have been using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems," officials said. 

According to the Tuscaloosa News, system spokesman Brad Fisher said in a statement issued Saturday morning that they "worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interests of our patients and in alignment with our health system’s mission." 

"This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety," he said. "For ongoing security reasons, we will be keeping confidential specific details about the investigation and our coordination with the attacker.”

RELATED: Alabama health system forced to limit hospital services after ransomware attack

The health system did not disclose how much it paid the hackers for the decryption key.

Officials at DCH, which operates hospitals in Tuscaloosa, Fayette and Northport, detected ransomware that affected its systems Oct. 1. The hospitals were forced to limit services to only the most critical patients after the ransomware attack.

Health system officials said they have successfully completed a test decryption of multiple servers and are now executing a sequential plan to decrypt, test and bring systems online one by one.  

"This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care. DCH has thousands of computer devices in its network, so this process will take time," officials said in the statement.

All three hospitals continued to be on diversion for all but the most critical patients through the past weekend. The health system said there is no indication that patient records have been misused or stolen.

Attacks on the rise, and ransom demands get bigger

The FBI issued a warning Oct. 2 that ransomware attacks are becoming "more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent."

Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by FBI case information, the agency said.

Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted healthcare organizations, industrial companies and the transportation sector, the FBI stated.

RELATED: Moody's: Cyberattacks could cause significant financial disruption for hospitals

The FBI does not advocate paying a ransom, the agency said, "in part because it does not guarantee an organization will regain access to its data." In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key, according to the agency.

In the first nine months of 2019, at least 621 government entities, healthcare service providers, school districts, colleges and universities were affected by ransomware, according to a recent report from security firm Emsisoft.

So far in 2019, there were a total of 491 ransomware attacks on healthcare providers, Emsisoft reported. These incidents include Park DuValle Community Health Center, which was unable to access medical records for seven weeks, and staff were forced to resort to using a pen and paper system. ParkDuvalle eventually agreed to pay the $70,000 ransom. 

Wyoming health system Campbell County Health continues to struggle to get its computer systems back online after being hit with a ransomware attack Sept. 20. The health system said in an updated statement posted Oct. 4 that some services are back up, but clinics continue to have limited access to patient contact information.

Ransoms going up

Cybercriminals are increasingly targeting software commonly used by managed and other third-party service providers. In such attacks, multiple customers of a service provider can be simultaneously hit, as was the case in the August incident in which 22 cities and towns in Texas were impacted, according to Emsisoft.

The average ransom demand also has continued to increase in 2019. If one organization is willing to pay $500,000, the next may be willing to pay $600,000, Emsisoft said in its report. And insured entities may be more likely to pay demands, which results in ransomware being more profitable than it would be otherwise, and that helps further incentivize attacks.

RELATED: Wyoming health system hit with ransomware attack, diverts ER patients and cancels services

“There is no reason to believe that attacks will become less frequent in the near future,” Fabian Wosar, chief technology officer at Emsisoft, said. “Organizations have a very simple choice to make: prepare now or pay later.”

Free decryption tools available

Some healthcare organizations without offline backup files of patient data pay the ransom because they believe it's the only option. Many security firms offer free resources and decryption tools for different ransomware strains. Emsisoft provides an ID Ransomware tool to help identify what strain of ransomware organizations are facing as well as other decryption tools.

A public-private partnership between law enforcement and IT security companies called No More Ransom is helping ransomware victims recover their files rather than giving in to hackers' demands. The collaboration offers a library of freely available online tools that has helped 200,000 ransomware victims recover their files since launching in July 2016, according to Europol. The initiative has helped stop an estimated $108 million in ransom demands.

The initiative is led by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and security firms Kaspersky Lab and McAfee.