May 14, 2024 - Technology

Companies facing slow road out of the ransomware ward

Illustration of a computer mouse with an extremely long cord

Illustration: Sarah Grillo/Axios

It can take weeks, if not months, for organizations to recover from ransomware attacks.

Why it matters: Even if a ransom is paid, it takes time to detangle the mess that file-encrypting malware makes of servers.

Driving the news: Ascension, a medical provider that includes 140 hospitals across 19 states, has been experiencing a ransomware attack for nearly a week now.

  • Hospitals started diverting ambulances to nearby facilities on Thursday and rescheduling nonemergency procedures.
  • So far, Ascension has not said when services will return to normal.

The big picture: This story is a familiar one. A lot of organizations believe they can restore their systems using a backup and return to normal operations within a couple days.

  • But untangling the encryption on key servers can take weeks even after securing a decryption key. Sometimes the decryption key that hackers send doesn't work as well as advertised.
  • Incident responders also need to conduct a thorough forensic analysis to understand the extent of the attack, how it started, and what data may have been stolen before restoring the systems.
  • Even switching over to backup servers can take time as specialists test to make sure the servers don't have the same vulnerabilities that led to the ransomware attack to begin with.

Between the lines: Victim organizations have two options when faced with ransomware: pay a high-dollar fee to the hackers to receive a decryption key or restore operations using a backup data server.

  • Neither option guarantees a speedy recovery.

By the numbers: 34% of organizations that faced ransomware in 2023 took more than a month to recover, according to Sophos' latest State of Ransomware report.

  • That's up from 24% who said the same in last year's survey.

Zoom in: Ascension said Monday it's in the early days of a ransomware attack, and CNN reports it's battling the Black Basta ransomware gang.

  • Patients have reported long delay times in care during the first days of the cyberattack.
  • One doctor told Michigan Public radio that it took 90 minutes to get test results back for a woman who was in cardiac arrest. The test normally takes just 15 to 20 minutes.
  • A patient told 7 News Detroit that he checked himself out of the emergency room after two days because doctors, who were relying on paper records, forgot to check on him.

Ascension isn't alone. Chicago's Lurie Children's Hospital faced service disruptions for a little over a month after fighting a ransomware attack earlier this year.

The bottom line: The best response to a ransomware attack is proactive defenses.

  • A U.S. government advisory released Friday advised cyber defenders to install security updates as soon as they're available, require multifactor authentication, and provide phishing training to employees.
Go deeper