In a rare and twisted result, Kansas Heart Hospital was hit with a ransomware attack on May 18th, and made the decision to pay a “small amount” to the attackers in order to get its data back. Kansas Heart stated that no patient information was compromised and that the ransomware attack did not impact treatment to its patients.

However, instead of decrypting the data, the attackers did not return “full access to the files.”  Instead, according to the Hospital, the attackers requested another ransom. Dishonest ransomware attackers? Greedy attackers? The Hospital refused to pay the second ransom.

This has been unheard of in the industry, since the whole business plan around ransomware is to attack a victim, encrypt their data until paid a ransom that is small enough for the victim to not think twice about paying it, but large enough to make a profit, and then decrypt the data so the victim can go about its day to day business.  The business plan relies on the attackers being true to their word that they will decrypt the data once paid. Otherwise, victims won’t pay.

Keep in mind that the FBI recommends that companies NOT pay the attackers in a ransomware incident. However, many businesses, when confronted with ransomware, perform a risk analysis, and determine that it makes more sense to pay the attackers the small sum to get their data back than to resort to getting their back up data online or move to contingency operations or disaster recovery mode.

The murky world of ransomware just got murkier. We have always joked about how ransomware attackers are pretty honest (yes, it is an oxymoron), and will decrypt the files once paid. But now? This oxymoron no longer applies. The greedy ransomware attacker is here.

According to Microsoft, the United States is the country with the worst ransomware problem and all businesses are targeted.  These ransomware attacks are not going away, and now you may not get your data back even if you pay the ransom. Developing and testing a back up, contingent operations and disaster recovery plan is still imperative in a risk management program to prepare for continued ransomware attacks.