Ransomware has caused massive headaches for hospitals. In February of this year, at least a dozen hospitals around the world had been seriously infected with malware demanding cash to retrieve their files. Some even resorted to pen-and-paper systems, and others gave the hackers over $10,000 worth of bitcoin to unlock their systems.
But judging by responses to Freedom of Information requests, UK hospitals are not paying hackers when ransomware strikes.
Motherboard asked National Health Service (NHS) trusts for details on attack figures and payments stretching back to January 2012. Many had been successfully hacked at some point (although on a limited scale, infecting only a small number of computers). Another piece of research carried out by cybersecurity company NCC Group found nearly half of 60 NHS Trusts suffered a ransomware attack in the last year.
All of the hospitals that said they had been successfully infected with ransomware said they had not paid the attackers
But successful infections are not necessarily the most important thing here. Successful payments are: a ransomware operator gets nothing for their time and effort if the victim doesn't cough up the bitcoin. If a hospital hasn't paid a hacker, presumably it has managed to protect patient or other files from permanent loss.
That's exactly what many of the hospitals contacted by Motherboard did. All of the hospitals that said they had been successfully infected with ransomware said they had not paid the attackers.
The East and North Hertfordshire NHS Trust said it had faced two successful infections of "Crypto Locker," a particularly popular form of ransomware. "In both cases for the Trust, we did not pay the ransom, we simply recovered the data from an internal backup," Freedom of Information Officer Jude Archer wrote in her response. "We backup all Trust data each and every day. I can confirm that there is no evidence the data that was encrypted [by the ransomware] was copied or moved off site at any time."
The Health and Social Care Information Centre (HSCIC) had the same strategy, and added that it has a policy of not paying attackers.
"According to records HSCIC has been infected with ransomware on 3 occasions since January 2012, in every instance HSCIC has been prepared for this eventuality and has been able to contain and eradicated the ransomware infection and restore all affected systems and files from full backups, without any breaches to patient data or disruptions to the delivery of patient care," Information Governance Advisor Graeme Holmes wrote in his response.
The NHS may have a decent track record of not paying hackers, but clearly there is still money to be made elsewhere: Earlier this month, researchers from FireEye spotted an uptick in the number of Locky infections hitting US-based hospitals.