UK hospitals targeted by ransomware but NHS did not pay up

Ransomware is increasingly becoming the go-to cybercrime exploit used by hackers to make a quick buck. In particular, targeted attacks against hospitals across the globe have escalated in the recent past. UK hospitals have also been targeted and successfully infiltrated by hackers via ransomware attacks. However, unlike some victims, NHS has not paid up hackers when struck by ransomware.

According to information gleaned by Motherboard from Freedom of Information requests, UK hospitals, despite having been successfully penetrated by ransomware, are not paying hackers any ransom. According to Motherboard's report numerous NHS trusts had been hacked, since as far back as 2012. However, the attacks allegedly appeared to be small scale, infecting only a limited amount of systems. Additionally, all of the NHS hospitals contacted confirmed they had been infected but not paid the hackers.

This, however, in no way mitigates the security implications of such attacks. According to cybersecurity firm NCC Group, which researched 60 NHS Trusts, nearly 50% of them were infected by ransomware in 2015. However, with ransomware, successful ransom payments are considered to be more important than successful infections. Reports speculate that if victims of ransomware, especially hospitals, do not pay up, then there is a possibility that they may have been able to protect or recover sensitive data, making payment unnecessary.

The East and North Hertfordshire NHS Trust said it was twice successfully infected by Crypto Locker, a particular strain of ransomware. "In both cases for the Trust, we did not pay the ransom, we simply recovered the data from an internal backup," Freedom of Information Officer Jude Archer wrote in her response. "We back up all Trust data each and every day. I can confirm that there is no evidence the data that was encrypted [by the ransomware] was copied or moved off site at any time."

Officials at The Health and Social Care Information Centre (HSCIC) also followed a similar approach when struck by ransomware attacks.

"According to records HSCIC has been infected with ransomware on 3 occasions since January 2012, in every instance HSCIC has been prepared for this eventuality and has been able to contain and eradicated the ransomware infection and restore all affected systems and files from full backups, without any breaches to patient data or disruptions to the delivery of patient care," said Information Governance Advisor Graeme Holmes.

Ransomware boom

Ransomware attacks against hospitals are becoming increasingly common. Hospitals in the US, Japan and South Korea were recently targeted by a massive Locky ransomware attack. Security researchers noted that hackers are constantly evolving their techniques in order to target more victims and avoid security detection. This is evidenced by the rapid evolution of the Cerber ransomware. Security firm Check Point had released a decryption key for the ransomware, which was available for a day before Cerber's developers modified the ransomware to render Check Point's decryption key ineffective.

Symantec also recently released a report that highlighted how hackers have more than doubled the amount of ransom demanded from victims. "The perfection of the ransomware business model has created a gold-rush mentality among attackers, as growing numbers seek to cash in," Symantec said.