The hospital paid about $100,000 in Bitcoin to get its data back.
The department said it recovered that ransom as well as a payment from a Colorado health care provider affected by the same Maui ransomware variant.
Why are people this dumb? Don’t pay ransoms. Ever. There’s no guarantee they will delete their copy, and you should have proper backups anyway (you do make backups, right?).
It worked out in this case, but it’s still an extremely stupid move.
They paid and they got their data back. These hackers have a large incentive to return the data otherwise nobody would pay. I feel like $100k is a pretty decent price especially relative to the massive grift in health care/insurance.
Sure, they should have backups and great security and whatnot. But clearly they don’t.
Why pay for security when an insurance CEO can get a massive bonus instead?
Sure, they’ll return the data, but why wouldn’t they keep a copy? It’s not like there’s any way to prove that it’s not copied. So they could get a $100k payday from the victim, plus whatever they can get on the black market. They’ll probably split up the data so it’s not as obvious where it came from (don’t want to scare away the next victim).
Any data that’s ransomed should be assumed to be available to attackers. That means the first people they should contact are the police, because until they pay the ransom, the attackers probably won’t leak it (that would reduce the chance that you’d pay the ransom). There’s usually a time limit, but they could probably stall until the police get involved. If the police can catch them, there’s a chance they could protect their customers from having their private medical data from being sold.
I get it, breaches happen, but there’s no excuse for not having off-site backups. 1TB at Backblaze B2 costs $6/month, so assuming that’s enough (it probably is), $100k could pay for over 1000 years of backups… And it’s probably something they could pay a contractor once to set up and then largely forget about it until they need it. Or if you use AWS, just turn on backups there, it’ll probably cost a little more, but it’ll be way easier.
The process of should be:
- get threatening ransom notice
- call the police
- patch the leak and restore from backup onto a new machine (can even hire a contractor to do it in <1 week)
- delay the ransom person (“I need time to get the money together…”)
- repeat 4 while operating business as usual as long as you can to buy the police time
Your data will probably get leaked on the dark web regardless, so just accept that at step 1.
Depending on who compromised you, paying the ransom is the smart move.
As long as the hacker group has a somewhat established name and reputation, they have more to lose from keeping a copy afterwards than to gain. Trust is like half of the business model for these groups - throwing it all away for a one-time gain isn’t the smartest move.
And while you should obviously keep a backup, in the end it might be cheaper to just pay up, especially because of potential future lawsuits should customer data be leaked.
Also, you should absolutely make sure the hackers actually have stolen data instead of merely encrypting it all with a secret key. There’s no point in paying in that case.
That’s why contacting the police is the right move, they’ll be able to investigate and determine who stole the data, or if it’s just encrypted. You can also get someone to investigate for you outside the police if you like (the police can be quite slow).
If guilty of this after prison sentence should be tracked and denied access to a hospital ever. Awful fuckin move guy.