Original Publication @ azcentral.
How 4 IT technicians saved an Arizona hospital from hacker ransomware
Mike Nelson often comes to work early, around 6 a.m., so it was Nelson who first discovered the message.
Nelson, an information-technology technician for Wickenburg Community Hospital, found it glowing on a computer screen in the emergency department.
In Times New Roman font was the word “Ryuk.” In the bottom left corner of the screen was the phrase “balance of the shadow universe.”
Nelson immediately sounded the alarm: The small non-profit Wickenburg Community Hospital, in a community of just under 8,000 residents, had been hit by a ransomware attack, and Nelson was having trouble accessing the hospital’s files.
What is ransomware?
In a ransomware attack, hackers infect an individual or organization’s computer systems with malware and essentially hold the digital information on the system hostage until a ransom is paid, often in untraceable cryptocurrency, such as bitcoin.
According to Jason Denno, director of cyberoperations at the University of Arizona, attacks such as the one that hit Wickenburg Community Hospital at the end of June have become more common, and insidious, in recent years.
In a written statement, the FBI said the agency has “a number of significant, active investigations into ransomware attacks nationwide.”
According to the FBI, which started collecting data about ransomware in 2014, the number of reported attacks has been decreasing since a peak in 2016, but the amount of money reported to have been paid in ransoms has steadily increased, likely because cybercriminal groups are dedicating more time to individual attacks.
Hospitals have been a frequent target, sometimes with serious consequences.
Two hospitals, one in Ohio and one in West Virginia, were hit with ransomware in 2018, affecting operations at the buildings’ emergency rooms. The hospitals could only accept walk-up patients and ambulances had to be diverted to other hospitals, according to Forbes.
Those hospitals didn’t pay the ransom, but another hospital based in Indiana forked over $55,000 in bitcoin after it was hit with ransomware that locked files including patient medical records in 2018, according to the Greenfield Reporter.
‘You have nothing left’
Blue Beckham, Wickenburg’s interim chief information officer, doesn’t know how much the cybercriminals wanted to restore access to the hospital’s systems. The hospital never contacted the encrypted email addresses listed on the ransom message.
Law-enforcement and cybersecurity professionals advise against paying ransoms, arguing that paying will encourage more attacks, and that sometimes, hackers don’t follow through on promises to unlock files even after the ransom is paid.
After some reading up on ransomware attacks on the internet, the Wickenburg IT team determined that in other Ryuk attacks, which have targeted public- and private-sector victims, cybercriminals would ask for more than the small hospital could afford to pay anyway.
The government of Lake City, Florida,, a small community of about 12,000 people, approved a bitcoin payment worth about $460,000 after it was hit with Ryuk ransomware around the same time as Wickenburg’s attack, according to the Wall Street Journal.
“That would have been an enormous, enormous hit to our operations,” Beckham said. “We’re a community hospital in a rural setting and organizations of our size simply don’t have half a million dollars laying around.”
So instead of seeing what the hackers wanted, Beckham said that Wickenburg’s IT staff, a total of four people, including himself, began rebuilding the hospital’s computer systems from scratch.
“We threw it in the trash and started over from a software perspective,” Beckham said. “We sat down and decided what is most important, what was absolutely needed both short term and long term. And when I say short term, I mean in the next hour and long term is the next 12 hours.”
The Wickenburg hospital’s patient care was unaffected by the attack, but almost every other part of the hospital’s computer systems was locked down, Beckham said.
“You have nothing left except the ability to turn on a computer and get on the internet,” Beckham said. “This particular one is just vile.”
Beckham suspects the hospital’s system was infected through a phishing email, though they haven’t been able to pinpoint the email that likely opened the door to the Wickenburg hospital.
Phishing emails, which are emails that are infected with malware that latches onto the larger system when an individual user opens them and clicks on what Denno called an “evil link or evil document,” are among the social engineering tactics that hackers are increasingly using to distribute ransomware.
‘A sweet spot’
Beckham notified the Wickenburg Police Department and the FBI, but as is the case with most ransomware attacks, the hospital was largely on its own in responding to the attack.
Wickenburg Community Hospital was perhaps better prepared than most organizations its size for a ransomware attack. When Beckham arrived at the hospital in March, one of the first concerns he logged was the hospital’s vulnerability to a ransomware attack.
“The organization is just large enough to have some financial resources but not large enough to have extensive IT resources,” Beckham said. “It’s kind of a sweet spot.”
The hospital had already started to strengthen its security measures, and it had been backing its data up on physical tapes, which Beckham described as “halfway between a cassette tape and a VHS tape,” that were stored in a safe, an archaic-seeming strategy that cybersecurity professionals are increasingly advising organizations to use to protect critical data. A brand-new backup system was being shipped to Wickenburg when the attack hit.
“It was literally on the truck,” Beckham said. “We got it early the next week. It wouldn’t have prevented it, but our response and our recovery would have been 200 times better and faster.”
The IT team at Wickenburg worked around the clock all weekend until the hospital’s backup data and software was restored. The attack infected Wickenburg’s systems around 12:30 a.m. on Friday, June 28, and by Monday, the hospital was almost fully functioning again.
The backup system that was en route to Wickenburg when the ransomware attack occurred is now installed, and the hospital has upgraded its cybersecurity software.
Beckham said the team is remaining vigilant, especially for phishing emails like the one that may have opened the door to the Ryuk malware.
“We’re a lot more confident now, but it’s almost like terrorists and the FBI,” Beckham said. “The terrorists only have to be right once. You have to be right every time.”
Denno said phishing emails have gotten “much, much more sophisticated,” and that’s bad news for organizations with even the best cybersecurity systems.
Hackers are conducting digital and sometimes even in-person reconnaissance on employees they think might give them access to a particularly attractive target. Phishing has morphed into spear-phishing, vishing, smishing and waterholing, which are all more involved ways of tricking individuals into giving hackers an access point into an organization’s systems.
“When you attack the human, you bypass the majority, if not all, of the defenses,” Denno said. “Humans are trusting and bad guys are devious.”
While an organization can’t thwart every attack, it can teach employees about the methods hackers use to access systems, and to segment its networks so that if a ransomware attack does get through, it can prevent damage from spreading.
Denno said IT professionals can do what Wickenburg did with the tapes in making critical data analog, since a computer virus can’t infect a physical tape, and conduct regular “threat hunting,” in which IT professionals continuously monitor the most important segment of the network for any unusual activity.
“If you’re defending everything, you’re defending nothing,” Denno said.
Putting some “honey pots,” traps that look like a regular part of the network that set off alarms when someone accesses them, throughout the system doesn’t hurt either.
“We call them bad guys for a reason,” Denno said.