Estes Park Health Paid Ransom Twice to Get the Keys to Unlock All Encrypted Files

A ransomware attack on Estes Park Health (EPH) based in Colorado caused extensive file encryption throughout its network.

Employees noticed the attack on June 2, 2019 and reported the strange behavior of their computers. EPH called its IT specialist who logged into the network and observed the same problems caused by the systematic file encryption being done by the ransomware on the network. According to an Estes Park Trail Gazette report, EPH’s Chief Information Officer Gary Hall found the ransomware was locking files and controlling the programs installed on his computer.

The IT team took action quickly and began locking down systems. However, they could not stop the widespread file encryption. Different software programs were taken offline including the software in the clinic and the digital imaging software used to store all X-rays and other medical photos. The ransomware attack wrecked the network including its telephone service.

EPH turned to its incident response center to carry out emergency mode procedures when its computer system was offline. EPH utilizes software program that continually keeps track of the network and identifies any efforts to exfiltrate information. From the time the attack began until the termination of access, the event logs did not show any data exfiltration attempts. EPH is convinced that the reason behind the ransomware attack was to extort by preventing access to crucial files.

EPH maintains a cybersecurity insurance plan that covers this kind of attacks. EPH employed a cyber security company referred by its insurance firm. The cybersecurity firm provided assistance on recovery and response management.

The IT firm contacted the attackers and paid the ransom demand. EPH got the keys for unlocking the encrypted files. However, EPH discovered that paying the ransom did not guarantee an easy recovery. The attackers did provide the decryption keys after the ransom payment. While decrypting the files, EPH discovered further files were encrypted. So, another ransom had to be paid by EPH to have the keys to unlock all files.

The amount of ransom paid was not disclosed to the public. EPH will need to pay an amount of $10,000 deductible. The investigators are still finding out how the attackers gained network access.