Criminal hackers now target hospitals, police stations and schools

WASHINGTON - Three weeks ago, a debilitating digital virus spread quickly in computer networks at three Southern California hospitals owned by Prime Healthcare Services, encrypting medical and other data so it was impossible to access.

Using a pop-up window, unidentified hackers demanded about $17,000 in the hard-to-trace cybercurrency called bitcoin for the digital key to unlock the data.

The company says it defeated the cyberattack without paying a ransom. But it acknowledged that some patients were temporarily prevented from receiving radiology treatments, and other operations were disrupted briefly while computer systems were down.

The attempted extortion by criminal hackers was the latest case of what the FBI says is a fast-growing threat to vulnerable individuals, companies and low-profile critical infrastructure, like hospitals, schools and local police.

The security breaches - which temporarily disable digital networks but usually don't steal the data - not only have endangered public safety, but revealed a worrying new weakness as public and private institutions struggle to adapt to the digital era.

So-called ransomware attacks have surged so sharply that the FBI says hacking victims in the United States have paid more than $209 million in ransom payments in the first three months of this year, compared with $25 million in all of 2015. The FBI has not reported any arrests.

"Ransomware is a growing threat to businesses and individuals alike," Chris Stangl, a section chief in the FBI's cyber division, said in a statement to the Los Angeles Times.

Government officials are particularly concerned that hackers could lock up digital networks that run electrical grids, and oil and natural gas lines, Andy Ozment, assistant secretary of cybersecurity and communications at the Department of Homeland Security, said in a telephone interview.

Ransomware attacks likely are increasing because people are willing to pay, Ozment said. "It's safe to assume if criminals continue to do it, they are making money from it," he said.

Most of the Internet extortion targets private companies, which rarely advertise paying ransom. Towns must disclose use of taxpayer funds.

In March 2015, for example, the Lincoln County Sheriff's Department in coastal Maine paid about $350 in bitcoin for the key to its encrypted data after a malware attack. After the data was unlocked, Western Union reimbursed the county for the ransom payment, according to a county official who described the transaction.

That followed similar reported attacks on law enforcement in Tewksbury, Mass., Midlothian, Ill, Dickson County, Tenn., Collinville, Ala., and Durham, N.H. Some police chiefs refused to pay, saying they had backed up their data or it wasn't crucial.

This year, the Horry County School District in northeast South Carolina paid a ransom of $10,000 in bitcoin after dozens of their school servers were infected.

On Feb. 5, Hollywood Presbyterian Medical Center paid about $17,000 in bitcoin to regain control of its patients' information.

The disruption was so severe that the hospital's central medical records system was largely unusable for 10 days, and some patients were transferred to other facilities for treatment, officials said. The 434-bed short-term acute care hospital is owned by CHC of South Korea.

In March, hackers encrypted data at MedStar Health, which operates 10 hospitals in Maryland and the District of Columbia. The virus caused delays in service and treatment until computers were brought back online. The company said it did not pay a reported $19,000 ransom demand.

Analysts say hospitals are being targeted because many recently converted to digital records from paper, and their data security isn't yet as strong as banks, insurance companies and government networks that have been hacked in the past.

The hackers, many from Eastern Europe or Russia, have found ransomware to be so profitable that they set up call centers, said Cabrera, who investigated underground hacking rings as chief information security officer for the U.S. Secret Service.

English-speakers with the hacking group will talk to victims over the phone or online and "help" them through the process of converting dollars into bitcoin and settling the ransom, he said.

Prime Healthcare, which operates 42 hospitals in 14 states, said it is still conducting a forensic investigation of the March 18 ransomware attack on Desert Valley Hospital in Victorville, Chino Valley Medical Center in Chino, and Alvarado Hospital Medical Center in San Diego.

Sreekant Gotti, the company's chief information officer, said in a written statement that the company, which is based in Ontario, Calif., did not pay the ransom.

Computer "systems were quickly brought back online without compromising patient safety, or patient or employee data" because they had backed up the data, he added.

An attack typically starts when a user opens a malicious email attachment that uploads a virus into the computer network. But hackers also have developed so-called drive-by attacks, in which a user inadvertently uploads malware by clicking on a compromised website.

The first known ransomware cases appeared in Russia about 2005. Hackers encrypted emails, video and photos on individual accounts, and demanded relatively small ransoms - $25 or so - to unfreeze them.

Similar attacks, including some that lock up data on mobile phones, soon spread across Europe and United States as cyberthieves began seeking more valuable data - and charging more to free it.

In January, the FBI warned of a new scheme called CryptoWall 2.0 that locks up hard drives and directs the user to a webpage that shows a clock ticking down the time until the ransom doubles.

A March 31 alert from the Department of Homeland Security said hospitals and health care facilities in the United States, New Zealand and Germany had been infected with a destructive form of ransomware called Locky.

According to researchers at Kansas State University, the subject line of the email reads: ATTN: Invoice J-98223146. The message says, "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice."

But paying the hackers doesn't always free the data, the security alert warned.