Monthly Archives: April 2016

Do US universities deserve an “F” in teaching cybersecurity?

The US alone has 210,000 cybersecurity jobs going unfulfilled, according to one recent estimate.

What’s more, the world’s next generation of programmers and IT pros are going to need a deep understanding of security, even if they aren’t “cybersecurity specialists.”

So, are they learning the security skills and mindsets they need? Not in the top universities in the United States, argues CloudPassage.

The topline claim from the company’s survey of 122 leading university computer science programs: US Universities Get “F” For Cybersecurity Education.

That’s a startling claim, so it’s worth exploring and reflecting on CloudPassage’s survey in a bit more detail.

CloudPassage’s research firm began by identifying the top 122 computer and information science programs in the United States, drawing on widely used lists from US News, Business Insider, and QS World. Next, it set standards for grading those programs. How many undergraduate courses in cybersecurity do they offer? How many are required for a student to earn a major in the field?

So, for example, to earn an “A,” a university would need to offer at least three courses in cybersecurity, and require computer or information science majors to take at least two. Not one of the nation’s top 50 programs met that standard; one school that did was the University of Alabama.

Conversely, eight of the top 50 universities offered and required no undergraduate courses in cybersecurity, thereby earning an “F” from CloudPassage. And no less than 28 of the top 50 programs earned miserable “D”s, by offering no more than three cybersecurity courses, while still requiring none.

CloudPassage didn’t discriminate in handing out these awful grades: “D”s or “Fs” showed up in Ivy League schools, legendary engineering and technical universities, highly respected public and private universities, you name it.

A smaller number of institutions did shine in CloudPassage’s survey – including Rochester Institute of Technology and Tuskegee University, each offering 10 security courses; DePaul with nine, and the University of Maryland with 8.

So, what exactly does this mean? That’s harder to say. As CloudPassage CEO Robert Thomas says:

We […] need to train developers, at the very earliest stage of their education, to bake security into all new code. It’s not good enough to tack cybersecurity on as an afterthought anymore. This is especially true as more smart devices become Internet accessible and therefore potential avenues for threats.

And there’s the rub. It’s significant and troubling if top students can earn undergraduate degrees in computer and information science without ever taking security into account. But the research doesn’t answer another question: is security “baked into” the other courses they’re taking?

Do they learn cryptography and cryptanalysis in ways they’ll be able to use? Do their networking courses address access control, or firewalls, or secure protocol design, or penetration testing? Do their programming courses teach best practices for designing and writing more secure code, and testing security? Do their operating system courses discuss privilege control? Are their senior coding projects judged on security as well as other aspects of quality?

If so, they may be learning a good deal of cybersecurity, even though their transcripts never use the word.

Admittedly, that’s a big “if.” But it’s an important question, no matter that it’s harder to answer. So, too, is another question: How good are the cybersecurity courses that do exist?

Those questions aren’t answered by CloudPassage’s study. But maybe someone else will try to answer them in the future.

If nothing else, those “Ds” and “Fs” will get the attention of a whole lot of university deans and department heads. Which can only be a good thing for all of us.

Via: nakedsecurity

Hackers Can Listen To Calls Knowing Only Your Phone Number

The recent “60 Minutes” broadcast on CBS showed how a team of hackers in Germany was able hack a U.S. Congressman’s cellphone, listen to his calls and track his movements with his mobile phone number.

The Berlin-based team is made up of white-hat hackers who look for computer and device vulnerabilities so they can be fixed. They were able to access a test phone provided to U.S. Rep. Ted Lieu of California by using the global phone carrier network called Signaling System Seven (SS7).

However, critics of the 60 Minutes report said the SS7 network is not one that most hackers have access to, meaning the vulnerability is not one most people need to be concerned about. They also said the SS7 vulnerability is not a new discovery or development.

Individual Security Settings Have ‘No Influence’

During last night’s broadcast, Sharyn Alfonsi reported that German hacker Karsten Nohl and his team at Security Research Labs had legal permission from several phone carriers to access the SS7 network for their vulnerability research. “[T]he carriers wanted Nohl to test the network’s vulnerability to attack,” the report stated. “That’s because criminals have proven they can get into SS7.”

Nohl demonstrated how his team was able to listen in on Lieu’s phone calls and even track his movements through the device’s GPS chip. He noted the SS7 vulnerability isn’t one that individual device owners can control through their security settings.

“[A]ny choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network,” Nohl told 60 Minutes. “That of course, is not controlled by any one customer.”

Hoping Media Attention Leads to Fix

Following last night’s broadcast, some users on Reddit offered some criticisms about the implied risks. “To be able to take advantage of SS7, you have to have equipment that talks SS7 (either a simulator or a telephone switch), and convince other telephone companies that you are a telephone company, and get them to link and peer with you,” Redditor isakmp wrote.

Another user wrote, “SS7 switches are both fewer in number and much more protected than even the switches that are routing core traffic for the Internet. This article is kind of like saying this . . . ‘Look at how easy it is to steal the gold from Ft. Knox,’ and then revealing that in order for this gold stealing ‘hack’ to take place all the doors were unlocked and the facility left unmanned.”

In late 2014, the Washington Post reported that Nohl and another German security researcher, Tobias Engel, each discovered the SS7 vulnerabilities earlier that year.

“The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis,” the Post noted at that time. “But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.”

Earlier today, hacker/security researcher Dino Dai Zovi noted in a tweet that Nohl “described that each carrier had to fix [the vulnerability] on *their* network individually. Consumers can’t do anything to fix it.” In another tweet, he added, “Maybe with nat’l media and congressional attn, those responsible for vuln will fix it.”

Via: enterprise-security-today

Over 3 Million Servers at Risk of Ransomware Due to Out-of-Date Apps

Out –of-date software may not seem like the biggest problem in the world, but a new report from information security researchers find that it may be responsible for putting more than 3 million servers at risk of ransomware attacks. In fact, the researchers found just over 2,100 backdoors installed across nearly 1,600 separate networks belonging to schools, governments, aviation companies, and others.

The threat of ransomware, an attack in which a hacker takes control of a machine and threatens to wipe its data if not paid a ransom, has grown dramatically in recent years. But the practice of targeting servers rather than individual machines appears to be a relatively new development.

A New Threat

The warning comes from Talos, a threat intelligence group owned by Cisco. According to the group, the vulnerabilities they uncovered were the result of backdoors in out-of-date versions of the JBoss enterprise server, a Java-based portfolio of enterprise middleware developed by Red Hat. Talos said it had been investigating the possibility of JBoss vectors following the recent ransomware campaign attacking servers with the Samsam malware package.

“Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat,” Talos wrote in a blog post Friday. “As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found just over 2,100 backdoors installed across nearly 1600 IP addresses.”

Some of the compromised servers belonged to schools running Follett’s Destiny software, a content management system that keeps track of school library books and other items, Talos said. Follett immediately issued a fix for the vulnerability. The researchers said it was “imperative” that all Destiny users install the patch.

As a result of its investigation, Talos said it found a number of webshells on compromised servers. Webshells act as control panels for servers, but they can also be used by malicious actors to remotely control systems. The group said it found that compromised servers running JBoss typically had more than just one webshell installed.

“We’ve seen several different backdoors including ‘mela,’ ‘shell invoker,’ ‘jbossinvoker,’ ‘zecmd,’ ‘cmd,’ ‘genesis,’ ‘sh3ll’ and possibly ‘Inovkermngrt’ and jbot,'” the company wrote on its blog. “This implies that that many of these systems have been compromised several times by different actors.”

The Webshell Threat

Talos said that webshells are a major security concern since they can indicate that an attacker has already compromised a server and can control it remotely. As a result, a compromised Web server could be used to pivot and move laterally within an internal network.

The group recommended that enterprises take down any servers that have been compromised immediately, as they could be misused in a number of ways. Servers hosing JBoss, for example, were heavily involved in the recent Samsam attacks, Talos said. Admins who discover webshells on their servers should first remove external access to the servers to prevent hackers from accessing the compromised machines remotely.

Ideally, enterprises should also re-image compromised systems and install updated versions of all software to deny hackers future access, according to Talos. Barring that, the group recommended restoring from a backup prior to the compromise, followed by an upgrade of the servers to non-vulnerable versions before returning them to production.

Via: enterprise-security-today

Critical Flaws Alert: Better Uninstall QuickTime for Windows Now

Two new vulnerabilities in Apple’s QuickTime for Windows are so critical that the federal government is urging users to uninstall the software on their PCs immediately because the tech giant isn’t going to patch them. In fact, Apple has announced that it will no longer be supporting the multimedia player on the Windows platform at all, meaning the bugs may never be patched, according to security firm Trend Micro. The advisory does not apply to QuickTime for Mac’s OS X.

“These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability,” Trend Micro wrote in a blog post. “And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.”

Heap Corruption Remote Code Execution

Both bugs are heap corruption remote code execution vulnerabilities, according to the security company. One vulnerability allows an attacker to write data outside of an allocated heap buffer. The other occurs in the stco atom where an attacker can write data outside of an allocated heap buffer by providing an invalid index.

A user would have to visit a malicious Web page or open a malicious file to exploit either of the vulnerabilities. Each vulnerability would execute code in the security context of the QuickTime player, which in most cases would be that of the logged on user, according to Trend Micro.

The Zero Day Initiative said that it had warned Apple about the two vulnerabilities when they were first discovered in November, but had not received a response from the company for more than three months. Apple finally responded to a second contact from ZDI in March, at which point it said that QuickTime would be deprecated in Windows. ZDI then told Apple it would be issuing a zero-day alert for the vulnerabilities.

No Active Attacks Yet

The U.S. Computer Emergency Readiness team issued an alert advising all users to remove QuickTime from their Windows machines as soon as possible. “Computers running QuickTime for Windows will continue to work after support ends,” the government agency wrote in an advisory announcement. “However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets.”

Despite the potential seriousness of the two vulnerabilities that have been discovered, the security firm said that it is not aware of any active attacks exploiting them currently. Nevertheless, the only way for users to protect their Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it.

Apple’s decision to deprecate QuickTime for Windows means the multimedia player will now join Microsoft Windows XP, Oracle Java 6, and an increasingly long list of popular platforms that are no longer being updated by vendors to fix vulnerabilities.

Via: enterprise-security-today

Mutating Qbot Worm Infects Over 54,000 PCs at Organizations Worldwide

Researchers at BAE Systems have published a report investigating the return of the Qbot network-aware worm, revealing infections on some 54,517 PCs.

85% of the affected systems are based in the United States, with academic, government and healthcare industry networks particularly badly hit. Earlier this year, for instance, the media reported that the Royal Melbourne Hospital’s pathology department had been badly affected.

The Qbot worm, also sometimes known as Qakbot, is not a new threat. First seen as far back as 2009, the malware continues to spread because online criminals have taken its original source code and continued to adapt it to evade detection.

Judging by BAE Systems’ findings, they appear to have been worryingly successful.

Typically Qbot is being spread via compromised websites, hosting the Rig exploit kit. When a user visits the hacked site on a vulnerable computer, a malicious obfuscated script is silently executed to serve up the exploit and install the malware onto Windows PCs.

Although this is a common method of spreading Qbot, it is also for attackers to target corporations through malicious emails.

BAE Systems reports that detection by anti-virus products, however, is hampered by the fact that the Qbot malware contacts its Command & Control (C&C) center in order to receive updates, mutating its appearance, re-compiling and re-encrypting itself, using server-based polymorphism in an attempt to avoid identification.

“The server-based polymorphism used by Qbot allows it to largely avoid AV detection. Typically, out of 55 AV vendors, only a couple of reputable AV vendors are reliably able to detect Qbot – or to be specific, generically detect its external encryptor. After a few days, the same sample is normally detected by more than half of the AV engines. However, as the bot normally updates itself with a new version within a day or two, it keeps ahead of this process and remains undetected for long periods.”

Furthermore, the malware is capable of detecting if it is running inside a Virtual Machine sandbox, and change its behavior in an attempt to avoid being spotted.

Any unreliability in detection by security software is an issue, because of what Qbot can do once it has infected your computers.

Qbot is primarily designed to harvest passwords and other credentials. Sneakily, Qbot attempts to grab passwords from Windows’ Credential Store, potentially revealing network logins, and passwords used for Outlook, Windows Live Messenger, Remote Desktop and Gmail Messenger.

Furthermore, Qbot attempts to access Internet Explorer’s password manager, stealing cached username and password credentials. With these details – and further credentials stolen from network traffic – Qbot’s attackers can break into FTP servers and infect other websites with exploit kits to spread their malware.

Furthermore, because of its backdoor capabilities, Qbot opens a potential route for hackers to steal sensitive data or intellectual property, disrupt infrastructure, or plant more sophisticated malware inside an organization.

BAE Systems reports that Qbot is becoming a more pernicious threat – exploiting its server-based polymorphic capabilities and other tricks in an attempt to avoid reliable detection.

However, it doesn’t appear that the hackers behind the Qbot attacks are immune to making their own mistakes. BAE Systems describes how the criminals “tripped up” when Qbot infected a small number of out-of-date PCs.

Rather than infect the PCs, it actually caused them to crash – alerting the affected organization that there was a problem on its network and causing the malware’s identification earlier than perhaps might otherwise have occurred.

Via: tripwire

FDIC Suffers Insider Breach

A former employee mistakenly downloaded 44,000 customers personal information.

An employee leaving the Federal Deposit Insurance Corporation (FDIC) may have exposed 44,000 FDIC customers’ personal information earlier this year, the Washington Post reports.

The breach, which took place in late February, was acknowledged in a March 18 memo from FDIC CIO Lawrence Gross, Jr., in which he said the data was downloaded to the former employee’s personal storage device “inadvertently and without malicious intent,” and that no sensitive information appears to have been “disseminated or compromised.”

It’s not clear at this point what data was accessed, but the memo states that the former employee had access to it “for bank resolution and receivership purposes.”

FinalCode CEO Gord Boyce told eSecurity Planet that the FDIC was lucky that the employee cooperated and returned the data. “Not every company or government agency will fare so well,” he said. “With all of the layers of security available, organizations have no excuse when it comes to preventing data leakage of customer information or intellectual property.”

“The FDIC breach serves as a cautionary tale that sensitive information can be taken with malicious intent — or in this case — completely by accident,” Boyce added. “Once unencrypted data is out there, it’s out there. Organizations should foresee this occurring and apply file security and policies beforehand.”

A recent Veriato survey of 400 employees found that over 50 percent of respondents said they believed they owned or shared ownership of the corporate data they worked on, making it acceptable to take corporate data with them when they left a job.

Thirteen percent of respondens said they thought it was okay to take login credentials with them, 7 percent said the same of customer data, 6 percent said the same of marketing and sales lists, and 5 percent said the same of financial data.

Almost 60 percent of respondents said they had never signed a confidentiality agreement.

“Companies need to do a better job educating their employees about what they can and cannot share or even use themselves when they move to another organization,” Veriato COO Mike Tierney said in a statement.

“The potential damage from even one employee taking confidential and proprietary customer data, software code or log-in credentials with them to a new job, especially with a competitor, is astronomical,” Tierney added. “Informing employees about who owns the data and how it can be used can eliminate much of that risk.”

Via: esecurityplanet

CBS Sports App, Mobile Site Left Millions of Users’ Personal Data Exposed

Sports fanatics using the CBS Sports app or mobile site recently may have had their personal information exposed to online theft, researchers say.

According to mobile security firm Wandera, both the Android and iOS versions of the app were found transferring users’ names, email addresses, account passwords, dates of birth and zip codes over an insecure connection.

Furthermore, the mobile CBS Sports website also failed to encrypt user data during the sign-up or log-in process, transmitting users’ email addresses and passwords in clear text.

Researchers discovered the security flaw last month – right in the midst of the March Madness NCAA basketball tournament, perhaps one of the most popular sporting events of the year.

Wandera warned the lack of encryption to protect such personally identifiable information (PII) potentially “left millions of people exposed to interception.”

“Since mobile users are vulnerable to man-in-the-middle attacks, we believe that this potential data exposure is very sensitive with a high impact surface area, especially during popular sports events where app and website usage is boosted significantly,” read Wandera’s threat advisory (PDF).

In a statement, a spokeswoman for CBS Sport Digital said the company had since resolved the security gap, while emphasizing it had found no indications that the data was, in fact, taken.

“Our internal teams are rigorous about monitoring our platforms for any potential security issues,” the spokeswoman said.

Wandera’s VP of Product Michael Covington noted that as more companies begin to offer services for mobile platforms, we are seeing time-to-market take precende over security best practices.

“Instead of developing mobile properties with the same security development lifecycle that is used for other aspects of their infrastructure, we are seeing developers push out code that clearly was not tested for the most basic of vulnerabilities,” Covington told Threatpost.

The CBS Sports app was downloaded 5 million to 10 million times on Google Play alone, and ranks as one of the top downloads sports applications in Apple’s iTunes store.

Via: tripwire

Malvertising Campaign Affects At Least 288 Websites

Researchers have spotted a malvertising campaign that is believed to have affected at least 288 websites.

On April 10th, the Security Operations Center (SOC) at Fox-IT, a cyber threat management company, first detected the campaign after observing a spike in the number of incidents related to exploit kits.

“The incidents originated from a large malvertising campaign hitting the Netherlands,” explains the security firm in a blog post. “The list of affected websites spreads across most of the popular Dutch websites. In total we’ve now seen at least 288 websites being affected.”

Some of the websites affected by this campaign include, the most-visited Dutch-language news portal at over 50 million views in March alone;, a service that is similar to eBay; and other news and culture sites.

As explained by Sophos, malvertising is another name for malicious online advertising. Attackers create a malicious ad and push it out through an advertisement platform that might be used on trustworthy websites. The ad will attempt to download malware or other unwanted content onto a visitor’s computer.

That means the affected advertisement platform–not the websites–are responsible for pushing out malicious advertising content.

In this campaign, external scripts are loaded from the malicious ad. Those scripts redirect visitors to the Angler exploit kit, which has dropped Cryptowall 4.0 and other malicious software in other attacks.

One of the redirects towards the Angler exploit kit, as observed by Fox-IT’s monitoring platform.

Two domains in particular, ( and (, have been observed to redirect users to the Angler exploit kit in this instance of malvertising.

After detecting the spike in exploit kit activity, Fox-IT contacted the affected advertisement platform, which has since responded to the incident and begun filtering the listed indicators of compromise (IoCs).

However, there’s still work to be done.

“They [the advertisement provider] will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now,” Fox-IT observes.

For more information on this malvertising campaign, please see Fox-IT’s post here.

Via: tripwire

Badlock Bug Fixed by Microsoft, Samba

Engineers at Microsoft and Samba have issued security fixes for the Badlock bug.

website dedicated to the flaw describes Badlock (CVE-2016-2118) as a security vulnerability that affects Windows and Samba versions 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, and 4.4.0.

“On April 12th, 2016 Badlock, a crucial security bug in Windows and Samba was disclosed,” the website explains. “Please update your systems. We are pretty sure that there will be exploits soon.”

Attackers can leverage the vulnerability, which received a 7.1 base CVSS score and 6.4 temporal CVSS score, to perform man-in-the-middle (MitM) attacks against protocols used by Samba, allowing a malicious actor to execute arbitrary Samba network calls using the context of the intercepted user.

The flaw also allows an attacker with remote network connectivity to Samba to conduct denial of service (DoS) attacks against Samba services.

“If BadLock is successfully exploited, the attacker would be able to impersonate other users and subsequently may be able to retrieve password hashes, shutdown services, expose secrets from AD, manipulate file attributes, and gain access to protected files,” explains Tripwire Senior Security Researcher Craig Young.

Young added that while this particular bug may not seem as severe as a remote code execution (RCE) vulnerability, the fact that an attacker on the local network can likely exploit it through well-known techniques, such as ARP spoofing, makes it a critical vulnerability.

Those with affected versions of Samba can fix their systems by implementing the patches provided by the Samba Team and SerNet for EnterpriseSAMBA / SAMBA+.

Sysadmins might also choose to put additional MitM and DoS mitigations in place after patching is complete.

Badlock was first unveiled to the security community back in the middle of March 2016. It was discovered by Stefan Metzmacher, a member of the international Samba Core Team who works at SerNet on Samba. He reported the bug to Microsoft, and worked with the Redmond-based company to fix the problem.

Industry experts spent several weeks discussing what systems the bug might affect, speculation which many believe helped create an atmosphere of hype and FUD around Badlock.

Those responsible for disclosing the bug feel there is some utility to announcing a vulnerability weeks in advance and giving it its own website and logo.

“What branded bugs are able to achieve is best said with one word: Awareness,” they observe. “Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs. It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding – it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.”

Many on Twitter disagree, though some feel Badlock could teach the security community a positive lesson going forward.

Via: tripwire

How Hospitals Are at Risk of Ransomware Attacks

In mid-March, news first broke about a ransomware attack at The Ottawa Hospital in Ottawa, Ontario.

The hospital released a statement soon after the attack confirming ransomware had infected four of its 9,800 computers. It is believed a staff member clicked on a suspicious link that in turn downloaded the ransomware onto the hospital’s computers.

Fortunately, the attack had very little impact on the hospital’s day-to-day operations.

“No patient information was affected. The malware locked down the files and the hospital responded by wiping the drives,” said Kate Eggins, a spokeswoman for the hospital. “We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security. We would like to reiterate that no patient information was obtained through the attempt.”

The hospital ultimately restored access to its systems via the use of data backups.

Although the story of The Ottawa Hospital had a happy ending, it is important to note that malware continues to threaten healthcare organizations on a daily basis. If anything, ransomware authors have used the first few months of 2016 to ramp up their attacks against hospitals and medical centers, a reality of which the United States Computer Emergency Readiness Team (US-CERT) and the Canadian Cyber Incident Response Centre (CCIRC) have warned, though perhaps too late.

To better understand this ongoing spate of ransomware attacks, we must examine how a hospital could become infected by ransomware and identify the risks of infection for a healthcare organization.


One of the most common methods by which bad actors deliver ransomware to hospitals is phishing attacks. All an attacker needs to do is send out an email that includes a link to an infected website, sometimes even a hospital’s website, or a Word attachment containing malicious macros. Clicking on the link or downloading the attachment activates a malware executable that downloads the ransomware onto the victim’s computer.

However, that’s not to say attackers can’t get a little creative with their phishing, especially if bad actors lack the technical expertise and/or money to develop or purchase malware.

“There’s another type of social engineering attack, which is pretty costly for some organizations,” explains Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP). “It has nothing to do with malware, but it’s called the CEO fraud. That also comes in through a social engineering technique, where someone is sending an email that looks like it’s coming from the CEO of the organization. They’ll send it to the accounting/finance folks and say, ‘Can you approve a wire transfer?’ There’s no links in it, but if they don’t have good internal controls, they may actually process the wire transfer. And there was a company in San Jose that got taken for about $46 million in that way. So, there’s some big money in that.”

As Andre reveals, bad actors can leverage phishing emails to disseminate ransomware and steal money via wire fraud and other illegal means. That realization provides some insight into the risks behind a ransomware infection for a healthcare facility.


Ransomware poses a significant financial risk to healthcare organizations. Let’s take the case of Hollywood Presbyterian Medical Center as an example. Back in February, the hospital declared an “internal state of emergency” and temporarily shut down its computer systems after computer forensics experts found ransomware on the hospital’s network.

Shortly following the infection, a local computer consultant said that the ransom fee was 9,000 BTC. At US $3.6 million, this would have been the largest malware-related ransom demand ever recorded. But the claim was incorrect. Spokespeople for the hospital clarified that the real ransom fee was only 40 BTC, or US$17,000. Ultimately, the hospital decided to pay the fee.

$17,000 is not too much for a hospital to lose. At the end of the day, however, the hospital probably lost a lot more.

“I would look at how much productivity was lost,” Andre says. “I believe, from the CEO’s statement on the hospital’s website, they first noticed the infection on Friday, the 5th of February, and their electronic health records systems were back up on the 15th. So that’s nine to ten days of not being able to access that information. They were relying on paper, they were relying on faxes and phone calls. That would be a productivity hit to the hospital, because all that information that was collected on paper would then have to be back-filled into the hospital system. That’s some of the major risk.”

But that’s not all. By also factoring in the price of recovery, which includes money needed to investigate the hospital’s IT systems, to pay off HIPAA fines for compromised personal health information (PHI) and associated lawsuits, and to overhaul its IT security and communication infrastructure to prevent future incidents, the total cost of the attack could very well have grown to become several orders of magnitude larger than the original ransom fee.

Last but not least, let’s not forget high-profile ransomware infections can have a reputational effect. In this instance, Hollywood Presbyterian Medical Center decided to transfer people to other local hospitals because it could not access patients’ medical records on its computer system. The medical center lost customers as a result of the ransomware infection. Unfortunately, it could take the hospital months or even years to rebuild that customer loyalty and trust.


Given the risks ransomware poses to healthcare organizations, it is important that IT departments at hospitals and medical centers focus on preventing an infection from occurring in the first place. That should include implementing user awareness among all employees and proactively monitoring endpoints for suspicious behavior.

For more helpful ransomware prevention tips, please click here.

Via: tripwire