Ransomware attacks, in which hackers lock your computer or keyboard until you pay a ransom, are on the rise. The latest notable ransomware victim is Hollywood Presbyterian Medical Center in Los Angeles, whose computers have been offline for over a week. The computers will come back online, the hackers reportedly say, in exchange for $3.4 million, paid in bitcoin.
The incident, first reported by a local NBC affiliate, affects the Los Angeles hospital’s computer systems, including those needed for lab work, pharmaceutical orders, and even the emergency room.
While the hospital’s spokesperson was unavailable to comment, HPMC president and CEO Allen Stefanek told KNBC that it was “clearly not a malicious attack; it was just a random attack.” It’s not clear what he means, though; a hospital in a wealthy neighborhood seems unlikely to be a random target, especially for such a large sum.
As WIRED explained last fall, while ransomware has been around for over a decade, hackers have been embracing increasingly sophisticated methods. In the past, ransomware could only lock down a target’s keyboard and computer; now, hackers can encrypt an infected system’s files with a private key known only to the attacker. That may be what has happened here, according to anonymous hospital sources who told NBC4 that the hackers offered a “key” in exchange for the ransom money. The hospital has yet to officially detail the attack.
Stefanek told NBC4 that patient care hasn’t suffered, although some 911 patients have been sent to other nearby hospitals. Meanwhile, it appears to mostly add up to a headache for those in the HPMC system because hospital staff have had to write all documentation out by hand for the last week. Some patients, meanwhile, need to drive to more remote hospitals for medical tests that HPMC cannot offer without a functioning network.
The fallout appears limited to this one hospital, though, and even within its walls the impact seems annoying, but not crippling. HPMC says it’s working with the FBI, LAPD, and computer forensics experts to recover its systems.
How Bad Is It?
Given the degree of things that could potentially go wrong at the intersection of hospitals and hackers, this isn’t so terrible. But in terms of the scale of the ransomware, it’s about as as bad as it gets. Symantec recently pegged the total amount of ransomware paid out in any given year at $5 million. This single incident asks for well over half that amount.
The bigger impact may not be clear until after the incident is resolved. If the hospital ends up paying out, it could inspire copycat attacks. If not, and the hackers are identified, it could act as a deterrent. Either way, for now it shows that no target is off limits for ransomware, nor is any sum.