Harboring Ransomware

3437338154?profile=RESIZE_710xWapack Labs has been closely observing ransomware attacks all across the United States, particularly attacks targeting healthcare companies.  On 15 June 2019, Grays Harbor Community Hospital (GHCH) and Harbor Medical Group (HMG), Aberdeen WA, discovered that their electronic data had been encrypted by an unknown variant of ransomware.  

Immediately after discovery, they reached out to both Kroll (a division of Duff and Phelps and a leading global provider of risk solutions) and the US Federal Bureau of Investigation (FBI) for further assistance. With advice from the FBI, they decided not to pay the ransom.

 

The FBI customarily advises against paying the ransom for multiple reasons:

  • Paying a ransom does not guarantee that the company will get their data back
  • Victims who pay the ransom may be targeted again, by the same or different actors who know their willing to pay
  • Sometimes after paying the initial ransom, attackers ask for more money
  • Paying encourages attackers to target other victims and provides more resources for them to do so[1]

After refusing to pay the ransom, GHCH and HMG began restoring their data from backup copies.  At this time, they are still working on fully restoring the data.

Similar to Park DuValle ransomware attack, recently reported by Wapack Labs (TR-19-214-001), officials at this health group claim that hackers did not exfiltrate any data but were able to activate ransomware on the network.  Sometimes attackers will exfiltrate data before a ransomware attack to use in future attacks. 

[1] https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

Link to full report: TR-19-231-001_GHCH Washington.docx