Hollywood hospital ransoms itself back from hackers for a mere $17,000


#1

[Read the post]


#2

“obtain the decryption key”

Password: password


#3

I’m sure this will serve as a global wake up call to hospitals and other brokers of sensitive information to better secure their data and equipment. </s>


#4

the thing i haven’t heard mentioned in any story about this is theories about who the hackers were, and where did all that money eventually go? there was a story on NPR this morning that said that this sort of data hostage-taking happens to businesses a LOT, but this one was large enough to get attention. if so many companies are paying thousands of dollars every month, i’m wondering if this money is eventually going to fun ISIS or north korea, which would be a reason to really take this sort of thing much more seriously than we apparently have been.


#5

Dick move to do this to a hospital but hey at $17,000 they got away cheap. I just hope it doesn’t make them complacent.

At the end of the day a competent sysadmin is going to be cheaper.


#6

The money typically goes to criminals in Russia or Ukraine. It’s pretty lucrative with very little risk of getting caught, so it has really taken off.


#7

Is it, though?

A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don’t do one.

Probable rate of failure is your key metric there, and how exactly do you quantify how a competent sysadmin (and ancillary costs) affect that?


#8

Check the blockchain for that $17k–it should show exactly where those BTC went. I mean, hasn’t there been a groundswell in the recovery of stolen BTC via the blockchain? That’s what makes BTC so great! yeah? no? never? oh…


#9

Once you pay danegeld, you’ll never be rid of the Dane.


#10

That’s a pretty good boogieman for plausible deniability. I bet it won’t be long before people start doing this to their own employers, sort of like in OfficeSpace, but probably less traceable.
I’m totally not doing this, I swear!


#11

At $17,000 probably not worth it. At $3.6 definately worth it. With competent systems administrators - and management support (which I’m sure didn’t exist since IT is only always a cost center that needs to be cut) they should only have had to restore files from backups and be done with it.


#12

But they COULD have messed with some of the actual network connected medical equipment which could have cost lives, right?..


#13

apparently in Russia, (at least they get caught in Russia) they kinda already do. The call from the boogie man was coming from inside the house…


#14

And for this sort of thing the probable rate of failure approaches 100% in rather short order.


#15

That’s the whole point of bitcoin though, that it’s cash-like - so

  • if you pay someone $100 in bitcoin, you’re not getting it back without their consent, any more than you’d get back a hundred dollar bill.

  • if you pay someone $100 in bitcoin, they can’t debit some credit card-like account for more than you agreed to, any more than they could overcharge a hundred dollar bill.


#16

Got it. I was being facetious in wondering about the recovery of BTC, but doesn’t the blockchain still allow a knowledgeable person to suss out who holds any particular now-spent BTC (despite tumblers and all that)? So at the very least a researcher could say that account number so-and-so at “BitCoinFurEvar” holds the BTC that were once held by “Hollywood Hospital”?


#17

It would, but once it’s been through a tumbler that’s not useful information. Once the stolen or extorted BTC goes into a tumbler, it doesn’t just go out to its intended recipient - it goes out a little at a time, over the course of months, to many recipients (minus the tumbler’s commission).

Kind of like putting $100 in one dollar bills into a big drum full of dollar bills constantly blown around by a fan, which within a day will give your intended recipient 99 dollar bills randomly plucked from the drum. Tracking down the original dollar bills by serial number doesn’t help anymore.


#18

Thanks I spit water all over my monitor. You owe me a new one now.


#19

10 BTC goes to tumbler–>T. So the BTC is tracked at least that far, yes? I assume that a tumbler is essentially an escrow account that already holds far more than the 10 BTC it’s just received, so that once the BTC is withdrawn, different BTCs(?) can be taken out, that is, BTC of a different hash (or whatever) than the ones that were delivered in the first place, thereby obfuscating the receiver’s identity. Do I have that right?


#20

I thought it was “penis”.