UNCLASSIFIED // FOR OFFICIAL USE ONLY 18 March 2016

CIAC Report 16-07556

Colorado Information Analysis Center

****Situational Awareness**** (U//FOUO) Ransomware Disruptions to Hospital Operations Increasing (U//FOUO) Recently, hospitals have been infected with ransomware that has rendered patient files, equipment interfaces 1 and email unusable. The spread of this type of infection is increasing and will likely impact more hospitals. Hospitals also incur premium charges to resolve the issue and return to normal operations. (U/FOUO) Ransomware is a malware infection that is typically spread via infected email attachments. Once the infected 2 document is opened the virus encrypts files on the local machine and searches for available network drives to encrypt. This infection can rapidly render a large portion of a hospital network unavailable. Once the infection has taken hold users see a screen that warns of the incident, the cost (in bitcoin) to resolve and how to acquire bitcoin. USBUS

(U/FOUO) Hollywood Presbyterian Medical Center was forced to divert patients to other facilities, resort to paper records and fax machines for transmitting information and ultimately paid approximately $17,000 in ransom to recover 3 their systems. Other hospitals in North America and Europe have also fallen victim to this threat with varying degrees of 4 impact. 5

(U/FOUO) Ransomware operators usually charge approximately $400 to restore files. The $17,000 ransom demand to Hollywood Presbyterian Medical Center could indicate a progressive pricing scheme based on the success of the 6 infection. Both the malware and the tactics are expected to evolve making prevention and response more difficult. (U) In order to minimize operational risk, organizations may consider the following recommendations:  (U) Engage IT departments to consider the risk from this type of attack and potential mitigation.  (U) Review Continuity of Operations Plans for coverage of incidents that include lack of access to patient records, email and other network based services.  (U) Review Crisis Communication plans for possible implementation during this type of attack.  (U) Consider computer user awareness and security training specific to email use. (U//FOUO) This report addresses the following CIAC Standing Information Needs: CIAC-SIN-5, 11, 16. (U//FOUO) This report addresses the following CIAC CIKR: Sector 12.

1

(U) http://www.databreachtoday.com/fbi-warning-ransomware-surging-a-8962 (U) http://www.trendmicro.com/vinfo/us/security/definition/Ransomware 3 (U) http://www.digitaltrends.com/computing/hollywoodhospitalransomwareattack/ 4 (U) https://hacked.com/german-hospitals-targeted-in-ransomware-cybercrime/ 5 (U) http://www.idigitaltimes.com/new-locky-ransomware-virus-spreading-alarming-rate-can-malware-be-removed-andfiles-512956 6 (U) http://www.idigitaltimes.com/new-locky-ransomware-virus-spreading-alarming-rate-can-malware-be-removed-andfiles-512956 2

CIAC Customer Satisfaction Survey Please take a moment to complete this survey and help evaluate the quality, value, and relevance of our intelligence product. Your response will help us serve you more effectively and efficiently in the future. Thank you for your cooperation and assistance. Click here to take survey. For further information concerning this bulletin please contact the Colorado Information Analysis Center at (877) 509-2422 or email [email protected] To report suspicious activity, please visit our website at http://www.dshem.state.co.us

UNCLASSIFIED // FOR OFFICIAL USE ONLY 1 of 1

Production Number: 080067