Kansas Heart Hospital hit with ransomware; attackers demand two ransoms

Kansas Heart Hospital in Witchita was hit with ransomware last week. The ransomware attack occurred on Wednesday, and the KWCH 12 news video from Friday night said some files were still inaccessible by the hospital.

Hospital President Dr. Greg Duick refused to disclose the ransom amount and the ransomware variant. He said, “I’m not at liberty because it’s an ongoing investigation, to say the actual exact amount. A small amount was made.”

Yes, the hospital paid the ransom. No, the hackers didn’t decrypt the files—at least it was described as not returning “full access to the files.” Instead, the attackers asked for another ransom. This time the hospital refused to pay because it was no longer “a wise maneuver or strategy.”

+ Also on Network World: Ransomware-like tech support scam locks screen, labels Windows product key as invalid +

Supposedly the hospital had a “plan” for this type of attack and implemented it immediately. Duick claimed, “I think it helped in minimizing the amount of damage the encrypted agent could do.”

Wouldn’t a plan include backups? Maybe the backups were not air-gapped? At any rate, despite the plan, the hospital paid the ransom only to have the attackers attempt to extort another.

It’s unknown if Duick is a highly technical individual who understands ransomware and is giving seriously dumbed-down explanations or if he is repeating what he was told. For example, he described ransomware as this: “It would be like you’re working on your computer and all of a sudden, your computer says, sorry can’t help you anymore. It became widespread throughout the institution.”

“The patient information never was jeopardized, and we took measures to make sure it wouldn’t be,” Duick said. Hopefully those measures were better than the hospital’s disaster recovery “plan.”

Patients’ treatment not affected

Unlike some ransomware attacks on hospitals, which resulted in long delays due to being thrown back to old-school pen and paper records and caused the rerouting of incoming patients to a different hospital, Duick said the ransomware “never impacted” treatment for Kansas Heart Hospital patients. After being a victim of a crypto spanking, it helped the “hospital strengthen its response to future hackers.” Hopefully that includes air-gapped backups.

Or perhaps the hospital did have a decent plan and one of its employees opened a phishing email to become infected during the process of converting to a new backup system. That’s what happened to Tulsa attorney Grayson Barnes.

He told Tulsa World, “It was a short window when they could have encrypted the files, and it happened to be the time that they did. Generally, we back up every evening. But it wasn’t just a day’s work product. It was the entire firm’s history.”

Because that was the case, the firm paid the ransom.

FBI Special Agent Chad Knapp told Tulsa World, the “bad guys” behind the ransomware are typically overseas. “They know where to hit because they are doing their reconnaissance,” he said. Knapp said he was aware of ransoms as high as $50,000 nationally, before adding that some ransoms are even higher.

Last week on Ransomware InfoDay, Microsoft revealed that the United States is the top ransomware target with 320,948 infected systems, followed by Italy’s 78,948 ransomware infections and 45,840 in Canada.

While talking about ransomware and how organized crime is going after “the low-hanging fruit,” Dr. John Hale, a University of Tulsa cybersecurity expert, added:

“I could attack 20,000 individuals or small companies who I know don’t have security in place and don’t have backup procedures, and I could [get] $500 each from them and I could come up with a pretty good payday without worrying about either getting caught or lack of success. We’re seeing it as a definite up trend. What’s interesting is that it’s crossing multiple sectors now. The way our cars are computerized, the next ransomware attack may be in that area. …‘You want to start your car? Pay me $300.’ We’re headed that way.”

Other experts have predicted large-scale ransomware attacks on cars with the infection hitting a manufacturing plant or car dealership.

Decrypters released for TeslaCrypt, 777, Xorist and GhostCrypt

While it might not help Kansas Heart Hospital, there is good news for TeslaCrypt victims. After ESET security researchers asked the cyber thugs behind TeslaCrypt for the universal master decryption key, the crooks gave it to them. The attackers said the TeslaCrypt project is closed and they “are sorry.”

ESET then created a free decrypting tool for all TeslaCrypt variants between 3.0.0 and 4.2, as well instructions for using it.

Last week, Emsisoft also released free decryption tools, one for 777 ransomware and one for Xorist. Rasomware 8Lock8 was no sooner discovered than a decrypter was released. Michael Gillespie, the same malware expert who released the fix for 8Lock8, also released a decrypter for GhostCrypt.

While those are fine examples of good news for victims, there seems to be no end to new ransomware being discovered.