My veterinary practice’s data was held for ransom

My veterinary practice’s data was held for ransom

I’m a veterinarian, an entrepreneur and a 30-year computer geek. That didn’t save my data. (But I did negotiate the criminal’s price down!)
source-image
Dec 07, 2016

Your veterinary practice data is only as safe as the weakest link in the chain of on-site and off-site storage. Can you learn something from Dr. Phillip Raclyn's ransomware experience? (Shutterstock.com)I thought I was so smart. A veterinarian, entrepreneur and computer geek for 30 years. Usually the smartest guy in the room. I mean, I’ve been a geek since the very first PC became available. So when it came to creating a backup system for my veterinary hospitals, I thought, “I can do it myself.” And I did.

For those of you in the know, redundancy is the key. So I had a great backup program called Backup4all that I got cheap off the Internet. All the bells and whistles I needed. Able to customize it to suit my needs. I created backups … lots of backups. I backed up the folder with all the data that runs the hospital onto a separate hard drive in the computer. I also backed up to an external hard drive. I also used FileTransporter (like Dropbox, but the hard drive is in my home) to create off-site backups of my backups.

I was covered.

Until I got hacked.

Our files were still there, but they couldn’t be opened

I’d heard about “ransomware” (I’m a geek, I told you). This is where someone inserts a malware program somewhere into your system and encrypts your files. All your files. And there’s no way to decrypt the files without the decryption key. If you want that decryption key, you contact the person who hacked your computer and pay up. In my case: bitcoinpay (at) india (dot) com.

The program we use to run the hospital wouldn’t start. We looked on the server to see if our files, attachments and radiographs were still there. They were, but their file names had been changed. And they couldn’t be opened. I tried everything I knew, and there was no way to open even a Word doc or PDF.

Although I was feeling violated, I knew I had my daily backups working and at most I’d lose a day’s worth of data. I could live with that or maybe even recreate it. I wasn’t ready to pay bitcoinpay (at) india (dot) com quite yet, so I went to check my backups. The backup on the internal hard drive was also encrypted.

The backup on the external hard drive was—well, the hard drive wouldn’t start at all. I tried everything, to no avail. And even if I could get it to run, there was no way to know until I did how long it hadn’t been backing up data.

So I went to the backup on File Transporter. The last backup was from June 23. This was Oct. 16. What happened? I have no idea, but at least I had a full backup from June. Losing three months’ worth of data was terrible, but far, far better than losing 12 years of data, which would have happened if I didn’t have this one backup.

I didn’t want to pay the ransom. For one thing, I was afraid that even if I did, I might not get the files back. So I started wondering if there was any way to recreate the data I’d lost. We use DemandForce to send out reminders and text message appointment confirmations. We were also about to switch from DemandForce to a similar, but free, service called PawPrint. These services interact with our Avimark software, and I thought that they might have a backup. Both DemandForce and PawPrint were both very helpful, but they didn’t have a full backup. At least, we thought, we can try to reconstruct what’s happened since June 23 by the text messages and the appointment reminders they sent out. We prepared to do this, and in the meantime I started negotiating with the hackers.

A closeup of a screenshot of Dr. Phillip Raclyn's first encounter with the person holding his veterinary practice's data for ransom. (Photo courtesy Phillip Raclyn, DVM)‘You have only 36 hours to pay since you received that email ... ’

Paying the ransom was starting to look better and better. But how much? I reached out to the hacker.

I sent a simple text message as suggested on the screen. But that didn’t work. Then I figured that it looked like an email address, not a phone number, so I sent them an email: “You have my attention. What can I do for you?”

My response came the same day:

If you want your data back, you should pay me 4.1 bitcoin on the following address [followed by a string of numbers and letters]. You have only 36 hours to pay since you received that email, after the price will be eight bitcoin.

After some research I learned that 4.1 bitcoins didn’t have an exact price. Bitcoins can be bought and sold on websites, and the prices vary. But it came out to approximately $3,500 at that particular moment. I also learned two important facts: One, there was no guarantee that after paying I’d get the decryption key. And, two, without the decryption key there was no earthly way to get the files back. I had to take the risk, hoping that I’d get the files back after paying.

In my research I learned you could negotiate with the hackers. I figured they sent out the emails carrying the malware to any email address that had the word “hospital” in it. Our email address domain is “yorktownanimalhospital.vet.” So I wrote back:

Luckily, I have backups. And I don't know what bitcoins are worth or how to get them. So thanks to your efforts I lost about 36 hours of information. We'll survive. We're a small animal hospital. We can barely make payroll. The only ones who will suffer are the dogs and cats. I presume you don't care about that. Make me a better offer for a day and a half worth of lost vaccine information and maybe we'll spend the time and energy to figure the bitcoin thing out and send you some money. What's a bitcoin worth, anyway?

I was hoping a bluff would be as good as a straight flush here. In reality, my only backup was from over three months ago, and losing all the data would be an unmitigated disaster.

The hacker responded:

hello Phillip, sorry for delay

your price 2 btc.

when you send money let me know.

tnx

So, I thought, the price is already down by half. Let’s push a little more. I responded:

I'm also sorry for the delay. Yesterday the tech guy pulled all the hard drives and upgraded the defenses of the servers. We've figured out how to rebuild the few days of data that we lost, except for one or two things that we'll figure out moving forward. But it's gonna take some time and manpower to bring us back to where we were before your attack. It's worth one bitcoin to me so I don't have to overwork my staff to do the data input. We're really just a small business struggling week to week to make payroll. We give too many services away for free because we can't stand to see dogs and cats die because the owners can't afford to treat them. But how will I know that once I pay you, you'll actually give me the decryption key. And how do I know that the file that encrypted all the files isn't still somewhere on my network?

But the hacker wouldn’t budge:

Phillip pleace dont worry, after payment i will keep my pomises.

2 btc is minimus price, i cant make cheeper

aftreer pazment in 6 hours i will send zoou decrzption tool

I tried one more time:

I have to worry. That's my job. I have people who depend on me to feed their families. Tell me how I can be sure that after I pay you, even if you send me the decryption tool, that my files won't get encrypted again next week from something that you left on my network somewhere. I want to pay you, but I need to be sure you'll keep your end of the bargain.

No luck, but in a strange moment of contriteness, the hacker wrote:

all i can give you is inly my word

i dont know that this was pat clinic

if i can i give you decryption for free but i caaaant because of some reasons.

now no more disusion.

waiting for payment

I decided to pay.

I went on localbitcoins.com and figured out how to buy bitcoins. I had to make a cash deposit into a numbered bank account at TD Bank. After the deposit, two bitcoins were deposited into my “wallet” on the website. Then I was able to transfer ownership of them to the hacker. I knew there were no guarantees, but it was worth the risk.

In the meantime, I had my tech guy pull the hard drives from the server and replace them with new drives. I didn’t want to take a chance on the malware being hidden somewhere and then reinfecting us after we paid and decrypted the files. After I paid the hacker, he asked me to send him an encrypted file. I wasn’t expecting this, but I figured out that this was the only way the hacker could know the decryption key. The key must be hidden somewhere in each file. I told my tech guy to install the drives into an extra computer laying around and to pull a file and send it to me.

We got it done. I emailed the hacker the file and he/she sent me the decryption key and a link to the program to use to decrypt the files. Finally, 10 days later, after an enormous amount of angst and anguish, we were back up and running. Of course, I tightened our defenses by installing OpenDNS to prevent access to many websites. I trained the staff not to open emails with ZIP attachments. I made sure every workstation had Windows Defender on it and was set to auto-protect. And finally, I reinstituted the backup plan. We now back up to a local drive, to the File Transporter and to DropBox.

Let’s hope it’s enough.

Phillip Raclyn, DVM, CVA, is the founder and one of two managing veterinarians of Riverside Animal Hospital's two locations.

It may happen again

First of all I have to thank the author for sharing this cautionary story, it's becoming a frequent problem for all businesses. Like the previous commenter I'm also an IT provider who's seen my share of these infections.

I hate to leave a negative comment, but the author (and readers) should know that there's a reasonable chance that this will happen to him again. Since he's PAID THE RANSOM now his organization will be considered an easy mark for further exploitation and should expect even more attempts to be swindled. It reminds me of the US government's refusal to negotiate in any way with hostage takers. Once you give in you're just asking for more of the same from unscrupulous people.

There are some technical problems with his response to the attack too, but I don't want to belabor the point.

Best "real-world" example I've seen!

Thanks for this great article! My company provides IT for over 70 vet hospitals and deal with ransomeware at least every couple of months and it plagues other industries as well. We've found that a truly robust "enterprise" Backup/Disaster Recovery solution is the only real defense. I might suggest that your next step be toward a "managed" solution where someone takes ownership of verifying backup success/failure and the health of your backup hardware. Best of luck in the future!