How experts say this hospital shook off the chains of ransomware, but another hospital had to pay thousands.

That sinking feeling—you clicked on a link or an attachment, and now your computer is locked up. Only a ransom will free your files. Even worse, it’s a work computer, and even worse, you work at a hospital.

Four employees at The Ottawa Hospital in Ottawa, Canada may have felt that rising horror last week as ransomware took over their computers at the medical center, freezing their files and demanding money.

Did the hospital pay?

“We would never pay a ransom,” hospital representative Kate Eggins told Archer News. “Hospitals use the public purse, right? It’s taxpayer dollars at some hospitals. No ransom was paid.”

That comes in striking contrast with the case of a hospital in Los Angeles last month, where administrators said they paid $17,000 in ransom to malicious hackers so they could use their computers again.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said CEO Allen Stefanek at the time. “In the best interest of restoring normal operations, we did this.”

A tale of two hospitals

How did the Canadian hospital escape paying ransom? The process sounds simple.

Employees contacted the hospital’s IT department, Eggins said. The IT department wiped the drives of the four computers affected, and restored the files from backup. The other hospital computers—about 9800 of them—were not affected, and no patient data was lost, according to the hospital.

But in the Los Angeles case, it was far from simple. Some patients were diverted to other emergency rooms, and staff wrote medical notes by hand and sent faxes between department instead of e-mails, reports said. After ten days, the hospital gave in and paid.

Eggins attributed The Ottawa Hospital’s successful recovery to “good practices.”

Some cybersecurity experts agree.

“Chances are this hospital had great backup procedures and employees following protocol, which allowed them to wipe clean and start where they were with no hassle,” said Nathan Scott with Malwarebytes. 

“With the other hospital, chances are the backup procedures were lacking, or incomplete,” he told Archer News.

Other actions may have put the Los Angeles hospital at risk as well, he said.

“On top on this, some employees may have kept important data local on the infected machine where backups couldn’t get the files and weren’t following protocol,” said Scott. “This leads to a loss in files and the need to pay the ransomware after being hit.”

“Their backups could have also been hit depending on how the infection was able to move through the network,” he added.

What kind of ransomware?

The malware that hit The Ottawa Hospital was called “WinPlock,” said Eggins.

WinPlock, or at least one variation of it, is moderately severe malware, according to Telus Security Labs. The company site describes it as ransomware that targets Windows, encrypts files and demands a payment in bitcoin. 

WinPlock is not new, according to Scott. He saw it about six months ago, but it seemed to have died out, he said.

It is possible that the ransomware developer decided to make money from it again, he explained.

“A lot of the time these guys will get a good amount of money, cease the infection, and then bring it back when they run out,” Scott said. “They also will sell the source if they plan on not using it any longer.”

Locky

There are many different kinds of ransomware in use.

Most recently, the use of ransomware called “Locky” surged, according to researchers at Palo Alto Networks. 

Researchers said attackers usually send out Locky in massive phishing campaigns. They showed an example subject title and attachment name for Locky ransomware e-mails:

Subject: ATTN: Invoice J-11256978

Attachment: invoice_J-11256978.doc

“Ransomware persists as one of the top crimeware threats thus far into 2016,” the researchers said. 

What can you do to avoid being a ransomware victim?

One of the first steps is to look at e-mails carefully before opening them, said cybersecurity company Trend Micro.

Also, watch out for e-mails from “unverified sources, Trend Micro said. You can check with the sender, not by replying, but by sending a separate e-mail, or calling.

Other advice—don’t click on links in “unverified emails,” regularly update your software, programs and applications, and back up your important files.

“The 3-2-1 backup rule applies here—three backup copies of your data on two different media, and one of those copies in a separate location,” Trend Micro said.

The hospital told Archer News that it backs up its data and plans ahead for cyber attacks.

“The Ottawa Hospital has an enterprise backup system and backs up all systems and data in accordance to defined business requirements,” Eggins said. “Recovering from a malware incident is one such requirement.”

Anti-ransomware

Some companies have developed anti-ransomware, to try to fight the “shapeshifting” ransomware code that changes itself to escape detection. Scott leads anti-ransomware development for security company Malwarebytes.

He said they have been able to create a system to monitor the behaviors of ransomware, to stop the malware before it infects a computer’s files.

“There are some things ransomware cannot help but perform, or it simply wouldn’t be ransomware,” Scott said.

And you can expect ransomware developers to continue their behaviors as well, continuing to hammer you and other victims to get as much money as they can, said researchers at Palo Alto Networks.

“Ultimately, successes experienced by one attacker group embolden and inspire others,” researchers said.