Los Angeles Hospital Hack Raises Concerns About Ransom Attacks

NPR's Audie Cornish talks to Adam Kujawa, head of malware intelligence at the security firm Malware-bytes, about ransomware and what users and companies should do if they get hacked.

AUDIE CORNISH, HOST:

For some time now, hackers have targeted random individuals, seizing the data on a person's computer and then demanding ransom for its return. But news last week that an LA hospital paid a ransom worth $17,000 to hackers holding its computer data hostage raised new concerns about bigger targets. Experts say there are millions of these sorts of ransom attacks attempted each year. Some companies pay; others don't. To discuss how companies are responding to ransomware, we've called Adam Kujawa. He's head of malware intelligence at the security firm Malwarebytes. Welcome to the program.

ADAM KUJAWA: Thanks for having me.

CORNISH: So just how common have attacks on targets like a hospital become?

KUJAWA: Well, you know, the attack vectors - rather, the victim - is pretty broad as far as who ransomware hackers are targeting. They go after everywhere from consumers - your average person - to businesses - small businesses, large businesses - anybody, really, they can get their hands on.

CORNISH: Now, when you go to law enforcement, what happens? What kind of advice do you get?

KUJAWA: Well, the FBI has come out pretty much telling people they should go ahead and pay the ransom. The security community itself tends to disagree with that, and often we tell people not to pay the ransom.

CORNISH: But talk about that split a little bit more. Why do law enforcement essentially say pay up, and why would security folks such as yourself say hold out?

KUJAWA: Well, I mean, the law enforcement - they're trying to get people, basically, back where they were. From the security community standpoint, whenever a victim pays, it not only encourages the actual criminal who's attacking the user or the company in this instance, but it also encourages other cybercriminals to do the same.

CORNISH: What makes certain industries, say, like the medical industry, more vulnerable than others?

KUJAWA: Well, the medical industry is - not only the fact that they often don't have the kind of resources or budget to invest in cybersecurity similar to other big corporations usually 'cause they're spending a lot of it on medical equipment and things like that, but the different kinds of equipment they have to use usually aren't updated as quickly as far as what operating system they run on or what kind of tools they have, which makes them vulnerable.

CORNISH: I want to talk for a minute about Hollywood Presbyterian. This hospital paid the hackers. What assurance can it give patients that that data is safe?

KUJAWA: Well, the data itself has been unencrypted according to the hospital after they paid the ransom. As far as assurance on whether or not it's safe from now on, the reality is that no data is really that safe because of just a lax amount of security that's employed by hospitals, organizations, things like that. I'm really trying to think of a good answer that sounds reassuring.

(LAUGHTER)

CORNISH: This is depressing.

KUJAWA: Yeah. No, it is.

CORNISH: Why can't you? Is there something - are certain industries vulnerable, and if so, why?

KUJAWA: Every industry is vulnerable. A few years ago, we saw attacks - breaches from retailers like Target or Home Depot, so credit card information, personal information like that was stolen. We saw attacks against banks which went after things like personal details - your address, your phone number. We've seen attacks against insurance companies and other medical facilities. I mean, unfortunately, it seems to be a trend these days that after an attack happens to a particular industry, that industry starts paying a lot more attention to the cybersecurity measures. And in this case, with hospitals, I guarantee you that medical facilities, hospitals and things like that will start taking these kinds of attacks more seriously than they ever have before.

CORNISH: Adam Kujawa - he's head of malware intelligence at the security firm, Malwarebytes - thank you for talking with us.

KUJAWA: Not a problem. Thank you.

Copyright © 2016 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.