Criminal hackers now target hospitals, police stations and schools
Reporting from Washington — Three weeks ago, a debilitating digital virus spread quickly in computer networks at three Southern California hospitals owned by Prime Healthcare Services, encrypting medical and other data so it was impossible to access.
Using a pop-up window, unidentified hackers demanded about $17,000 in the hard-to-trace cybercurrency called bitcoin for the digital key to unlock the data.
The company says it defeated the cyberattack without paying a ransom. But it acknowledged some patients were temporarily prevented from receiving radiology treatments, and other operations were disrupted briefly while computer systems were down.
The attempted extortion by criminal hackers was the latest case of what the FBI says is a fast-growing threat to vulnerable individuals, companies and low-profile critical infrastructure, from hospitals to schools to local police.
The security breaches — which temporarily disable digital networks but usually don’t steal the data — not only have endangered public safety, but revealed a worrying new weakness as public and private institutions struggle to adapt to the digital era.
So-called ransomware attacks have surged so sharply that the FBI says hacking victims in the United States have paid more than $209 million in ransom payments in the first three months of this year, compared with $25 million in all of 2015. The FBI has not reported any arrests.
“Ransomware is a growing threat to businesses and individuals alike,” Chris Stangl, a section chief in the FBI’s cyber division, said in a statement to The Times.
Companies should train employees not to open digital attachments or to click on unfamiliar weblinks in emails that might contain viruses or other malware, Stangl said. They also should back up critical data and use up-to-date virus detection software.
Government officials are particularly concerned that hackers could lock up digital networks that run electrical grids, and oil and natural gas lines, according to Andy Ozment, assistant secretary of cybersecurity and communications at the Department of Homeland Security.
Ransomware attacks likely are increasing because people are willing to pay, Ozment said. “It’s safe to assume if criminals continue to do it, they are making money from it,” he said.
Most of the Internet extortion targets private companies, which rarely advertise paying ransom. Towns must disclose use of taxpayer funds.
In March 2015, for example, the Lincoln County Sheriff’s Department in coastal Maine paid about $350 in bitcoin for the key to its encrypted data after a malware attack. After the data was unlocked, Western Union reimbursed the county for the ransom payment, according to a county official who described the transaction.
That followed similar reported attacks on law enforcement in Tewksbury, Mass.; Midlothian, Ill.; Dickson County, Tenn.; Collinville, Ala.; and Durham, N.H. Some police chiefs refused to pay, saying they had backed up their data or it wasn’t crucial.
The price apparently has risen sharply in recent months.
This year, the Horry County School District in northeast South Carolina paid a ransom of $10,000 in bitcoin after dozens of their school servers were infected.
The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity ... or be used to facilitate serious crimes.
— Chris Stangl, a section chief in the FBI’s cyber division
On Feb. 5, Hollywood Presbyterian Medical Center paid about $17,000 in bitcoin to regain control of its patients’ information.
The disruption was so severe that the hospital’s central medical records system was largely unusable for 10 days, and some patients were transferred to other facilities for treatment, officials said. The 434-bed short-term acute care hospital is owned by CHC of South Korea.
In March, hackers encrypted data at MedStar Health, which operates 10 hospitals in Maryland and the District of Columbia. The virus caused delays in service and treatment until computers were brought back online. The company said it did not pay a reported $19,000 ransom demand.
Analysts say hospitals are being targeted because many recently converted to digital records from paper, and their data security isn’t yet as strong as banks, insurance companies and government networks that have been hacked in the past.
“The problem is that hospitals aren’t very mature when it comes to cybersecurity and dealing with robust, sophisticated online attacks,” Eduardo Cabrera, vice president for cybersecurity strategy at the security company Trend Micro Inc. in Irving, Texas. “A hospital needs health data in order to treat its patients. Hackers know there [are] major consequences if they don’t act quickly.”
The hackers, many from Eastern Europe or Russia, have found ransomware to be so profitable that they set up call centers, said Cabrera, who investigated underground hacking rings as chief information security officer for the U.S. Secret Service.
English-speakers with the hacking group will talk to victims over the phone or online and “help” them convert dollars into bitcoin and settling the ransom, he said.
Prime Healthcare, which operates 42 hospitals in 14 states, said it is still conducting a forensic investigation of the March 18 ransomware attack on Desert Valley Hospital in Victorville, Chino Valley Medical Center in Chino, and Alvarado Hospital Medical Center in San Diego.
Sreekant Gotti, the company’s chief information officer, said in a written statement that the company, which is based in Ontario, Calif., did not pay the ransom.
Computer “systems were quickly brought back online without compromising patient safety, or patient or employee data” because they had backed up the data, he added.
“These kinds of vulnerabilities are widespread in the health care industry and need to be addressed ahead of time,” Gotti said. “For that reason, Prime Healthcare had various levels of protection and controls built into its systems, including multiple levels of backup.”
An attack typically starts when a user opens a malicious email attachment that uploads a virus into the computer network. But hackers also have developed so-called drive-by attacks, in which a user inadvertently uploads malware by clicking on a compromised website.
The first known ransomware cases appeared in Russia about 2005. Hackers encrypted emails, video and photos on individual accounts, and demanded relatively small ransoms — $25 or so — to unfreeze them.
Similar attacks soon spread across Europe and the United States as cyberthieves began seeking more valuable data — and charging more to free it.
In January, the FBI warned of a new scheme called CryptoWall 2.0 that locks up hard drives and directs the user to a webpage that shows a clock ticking down the time until the ransom doubles.
A March 31 alert from the Department of Homeland Security said hospitals and healthcare facilities in the United States, New Zealand and Germany had been infected with a destructive form of ransomware called Locky.
Locky gets into victims’ systems through email masquerading as an invoice with an attached Word document that’s laced with malicious code.
According to researchers at Kansas State University, the subject line of the email reads: “ATTN: Invoice J-98223146.” The message says, “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.”
But paying the hackers doesn’t always free the data, the security alert warned.
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information,” it said. “In addition, decrypting files does not mean the malware infection itself has been removed.”
In recent months, the White House has convened interagency meetings with officials from the FBI, National Security Agency and the Defense, Homeland Security and Justice departments to discuss ransomware, officials said.
One question discussed was whether the government should advise people to pay the ransoms to unlock their data. As recently as last year, FBI officials sometimes suggested individuals and businesses pay to recover their data.
But the bureau has clarified its policy and now instructs people not to pay the criminal gangs.
“The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes,” said Stangl, the FBI section chief.
Times staff writer Del Quentin Wilber in Washington contributed to this report.
Follow @wjhenn and @ByBrianBennett on Twitter
ALSO
For just $309, you too can hide your assets — in the U.S.
Smoke-filled room, meet Silicon Valley: Techies see opportunity at GOP convention
Border Patrol reports using force less frequently, but critics don’t have much faith in data
More to Read
Sign up for Essential California
The most important California stories and recommendations in your inbox every morning.
You may occasionally receive promotional content from the Los Angeles Times.