16 Jan 2018
By now you probably know the drill when it comes to ransomware. Don’t open suspicious email attachments and if you do happen to get infected, make sure you have a backup you can restore from. The recent ransomware attack on Hancock Health in Greenfield, Indiana, didn’t go that way.
First of all, the infection didn’t come from an infected file. Instead, the hacker(s) used SamSam, which searches the Internet for Remote Desktop Protocol connections then brute force attacks the system until they’re in and have spread through the network a good bit. Once they’re happy with how saturated they are, the ransomware deploys.
Hancock Health was quick to shut down computers and put warnings up all over the place instructing employees not to turn on their computers until they were cleared to do so. Hospital operations continued as best they could using ancient technologies such as pen and paper.
The hospital did have backups to restore from, but they figured it would have taken days or weeks to properly restore everything from their backups, so they opted, for the sake of expediency, to pay 4 Bitcoins, which was around $55,000 at the time. (Too bad they didn’t wait until today- it would have saved them about $12,000.)
The SamSam ransomware did show some remorse over the situation. All of the encrypted files were renamed to “I’m sorry.”