[BreachExchange] Alabama healthcare system pays hackers responsible for ransomware attack

[Inga Goddijn]

https://www.securityinfowatch.com/cybersecurity/information-security/anti-virus-and-malware-defense/news/21109305/alabama-healthcare-system-pays-hackers-responsible-for-ransomware-attack

The DCH Health System has made a payment to the hackers responsible for the
crippling attack on its computer system that's impacted operations at its
three hospitals since early Tuesday morning.

Hospital officials haven't revealed how much was paid, but said in a
statement Saturday that teams are working around the clock to restore
normal hospital operations.

"We worked with law enforcement and IT security experts to assess all
options in executing the solution we felt was in the best interests of our
patients and in alignment with our health system's mission," system
spokesman Brad Fisher said Saturday morning. "This included purchasing a
decryption key from the attackers to expedite system recovery and help
ensure patient safety. For ongoing security reasons, we will be keeping
confidential specific details about the investigation and our coordination
with the attacker."

There has been no evidence that patient or employee data was affected, he
said.

On Friday, UAB Medicine revealed that patient information for nearly 20,000
people was exposed during a data breach in August. Hackers unsuccessfully
attempted to divert automatic payroll deposits to their own account in the
breach that predated and is unrelated to the attack on DCH systems.

The ransomware attack encrypted electronic files at the Tuscaloosa,
Northport and Fayette hospitals, forcing staff to use a manual paper system
to track patient data. All but the most critically ill or injured new
patients have been sent to hospitals in Birmingham or Mississippi. Care of
the existing patients was not compromised, officials said. New patients
will continue to be diverted at least through the weekend, and there's no
timetable of when the system will be restored.

The system posted a message on its website Saturday morning:

"In collaboration with law enforcement and independent IT security experts,
we have begun a methodical process of system restoration. We have been
using our own DCH backup files to rebuild certain system components, and we
have obtained a decryption key from the attacker to restore access to
locked systems.

"We have successfully completed a test decryption of multiple servers, and
we are now executing a sequential plan to decrypt, test and bring systems
online one-by-one. This will be a deliberate progression that will
prioritize primary operating systems and essential functions for emergency
care. DCH has thousands of computer devices in its network, so this process
will take time.

"We cannot provide a specific timetable at this time, but our teams
continue to work around the clock to restore normal hospital operations, as
we incrementally bring system components back online across our medical
centers. This will require a time-intensive process to complete, as we will
continue testing and confirming secure operations as we go.

"As we complete this process, all three hospitals will continue to be on
diversion for all but most critical patients through the weekend. Our
Emergency Departments will continue to see patients who bring themselves to
the hospital.

"We expect to be making additional announcements in the coming days, as key
systems are restored and more patient services resume. Meanwhile, we are
grateful for the dedication and professionalism of our staff, as they
continue using our emergency downtime procedures to provide safe and
patient-centered care."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191008/5ed747f7/attachment.html>