At approximately 9:30 PM on Thursday, January 11, 2018, an unknown criminal group effectuated a ransomware attack against the information systems of Hancock Health. The point of entry of the attack was a hospital server on which the Remote Desktop Protocol (RDP) service was enabled and accessible via the Internet. Forensic analysis determined that an administrative account setup by a vendor of the hospital was compromised and used to gain unauthorized access to a specific system managed by that vendor. With this account, the attackers proceeded to infect a number of the hospital’s information systems with the variant of ransomware known as SamSam, which in turn encrypted the data files on those systems with a private key held by them.
The hospital’s leadership, in following its incident response and crisis management plan, established contact with their legal representation at Hall-Render, and Indianapolis-based cyber security firm, Pondurance, LLC. The leadership team also made the decision to involve the FBI’s cyber-crime task force team for advisory assistance. By Friday, January 12, 2018, the team had contained the incident and proceeded toward recovery of the infected systems.
The hospital’s leadership, upon consideration of many factors, made the determination to pay the ransom of four bitcoin demanded by the attackers, in order to retrieve the private encryption keys. Hancock Health CEO, Steve Long, made the following statement.
“We were in a very precarious situation at the time of the attack. With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”
As part of the forensic analysis conducted by Pondurance, it appears that patient data was not transferred outside of the hospital’s network. The FBI further confirmed during this investigation that the typical motivation of the criminal elements that leverage the SamSam ransomware is to obtain the ransom payment, not harvest patient data.
As of late evening on Friday, January 12, 2018, the combined Hancock, Hall Render and Pondurance team was able to make the bitcoin transaction and receive the private keys from the attackers. Before restoration, and to ensure containment, the team enhanced the security posture of hospital systems and the network. By Monday, January 15, 2018, critical systems were restored to normal production levels and the hospital was back online.
The life-sustaining and support systems of the hospital remained unaffected during the ordeal, and patient safety was never at risk.