“By 10:30 that night we had shut down every single computer that we had and all our servers,” Long recalled about the Thursday night in January. “By midnight we successfully shut off every computer in the organization and started from scratch. It’s surreal.”
By 4 a.m. on Friday, Long and his team had recruited Indianapolis-based cybersecurity firm Pondurance to identify the cause and scope of the attack and eradicate the imminent threat.
Pondurance co-founder Ron Pelletier said the first priority was to contain the intrusion and evaluate what was affected. Together with the FBI, which was called in to help pinpoint the origin of the attack, Pondurance experts determined that there was no easy way to erase the encrypted data from Hancock’s system and replace it with clean data from the backup system.
Taking into consideration the flu outbreak and the snowstorm, Long made the executive decision to buy the decryption keys from the hackers. Late Friday night, Hancock bought the keys by transferring four bitcoin.
Bitcoin’s was selling above $13,500 that day, bringing the estimated total Hancock paid to about $55,000.
“Criminal organizations now are treating this like a business,” Pelletier said. “They’re going to plan, they’re going to make sure they understand how they’re going to execute and then they’re going to set out and see where they can execute.”
Cybercriminals typically use the fourth quarter of the year to seek out “low-hanging fruit” and plan their attack, Pelletier said. Then, in the first quarter, particularly between February and April — a time Pelletier has come to refer to as “breach season” due to the uptick of cyber incidents — they put their plan into action.
“Hancock is one organization of many in this period that this happened to,” Pelletier said.
While the investigation into Hancock’s attack is ongoing, none of the network’s patient data appears to have been stolen, which Pelletier said was an indication that this particular group saw ransomware as a more effective way of getting paid.
“If you think about the numbers of breaches that have occurred in general, [it’s] millions and millions of records,” Pelletier said. “The dark web becomes a supply and demand issue at some point — I can try to monetize PHI [personal health information] by selling it on the dark web, or I can probably make maybe less, but a more expedited payment if I do something like ransomware.”