Share this article on:
Estes Park Health (EPH) in Colorado has suffered a ransomware attack that resulted in widespread file encryption across the network.
The attack was noticed by employees on Sunday June 2, 2019 who reported that their computers were behaving strangely. EPH contacted its on-call IT technician who logged in and experienced the same issues, as the ransomware systematically encrypted files on the network. EPH, Chief Information Office, Gary Hall, witnessed the ransomware locking files and taking control of programs on his computer, according to a recent report in the Estes Park Trail Gazette.
IT staff responded quickly and started locking systems down, but it was not possible to prevent widespread file encryption. Software in the clinic was the first to go offline, followed by its digital imaging software, which stores all X-rays and other medical images. The attack wiped out the network and its phone service.
EPH activated its incident response center and switched to emergency mode procedures while its computer system was down. EPH uses software that constantly monitors the network and detects any attempts to exfiltrate data. Between the attack commencing and access being terminated, the event logs show no attempts were made to exfiltrate data. EPH believes the main motivation behind the attack was extortion through the prevention of access to critical files.
EPH holds a cybersecurity insurance policy that covers attacks such as this. EPH used a cyber security firm recommended by its insurance company. The firm gave advice on recovery and helped manage the response.
The IT company made contact with the attackers and the ransom demand was paid. The keys to unlock the encrypted files were provided and EPH has been able to regain access to the encrypted files.
The ransom amount has not been disclosed publicly. EPH will be required to pay a $10,000 deductible. The investigation into how access was gained to its network is ongoing.
A Warning to all Healthcare Organizations
Boardman, OH-based N.E.O Urology recently announced that it had been attacked with ransomware. The decision was taken to pay the $75,000 ransom demand. Even with the keys, the extent of the encryption was such that it took more than 3 days to decrypt its files.
In that case, recovery was possible but the decision to pay a ransom is not without risk. The attackers may not hold viable keys to unlock the encryption and, as EPH discovered, payment of the ransom does not always guarantee an easy recovery.
EPH said an initial ransom payment was made and keys were supplied to unlock files. However, while unlocking files, EPH found further files had been encrypted. EPH had to then contact the attackers and make a further payment in order to get the keys to unlock all encrypted files.