It sounds like the plot of a bad episode of CSI: hackers shutting down a hospital's computer network, locking down its ability to treat patients until a sky-high ransom is paid.

It happened in a starkly public way last week in California, when the Hollywood Presbyterian Medical Center was infiltrated by malware that locked access to its networks. The hospital paid a ransom of 40 bitcoins, or about $16,900 US, to have its systems restored.

The facility was without access to email, digital patient records and some internet-connected medical devices for nearly two weeks, from Feb. 5 to 17.

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," the hospital's CEO and president Allen Stefanek said in a statement. "In the best interest of restoring normal operations, we did this."

It's the latest public case of a company brought to its knees by ransomware: hackers using malicious software to extort money directly from its users by making their files inaccessible.

Cybercriminals demand money from the target of the attack in order to unlock the files: pay the ransom and receive a decryption code to unlock the data.

Ransoms often paid in secret

The Hollywood hospital hack may have been the largest such ransomware attack to go public in North America, but it's been happening far more often than you might think over the past few years.

"These types of attacks have been happening and companies have been paying large ransoms. But for PR reasons they have not made this broad public knowledge," says Stu Sjouwerman, founder and CEO of cybersecurity firm KnowBe4.

Cyberfile Security Threat 20121219

Ransomware locks important files on your computer or online accounts, with hackers demanding that a ransom be paid before they're released. (Ryan Remiorz/Canadian Press)

Sjouwerman points to a recent case in Germany, where at least six hospitals were hit by malware attacks, but only one went public. The attack reportedly infected "hundreds" of computers at Lukas Hospital in Neuss, and heart attack patients had to be referred to other hospitals.

Jewel Timpe, senior manager of HPE Security Research Communications, believes more companies will go public with malware attacks in the future — especially as the attacks get more sophisticated.

"I think more and more people will talk about it as a means of sharing information and to find ways to combat these types of attacks," she told CBC News.

Health care an inviting target

The health-care industry isn't just a top target for ransomware attacks. According to a report by security firm Trend Micro, 30 per cent of identity theft-related cybercrime activity targeted health care from 2005 to 2015.

The next most popular industry was retail at 16 per cent.

Health care, retail, government and financial industries "process and store a wealth of personally identifiable information (PII) that can be used to commit identity fraud," the report says.

And health-care information goes for more money than credit card numbers, Sjouwerman says. "Because hospital records have no expiration date. So hospitals have a target on their back."

CryptoWall ransomware encryption notice

This image shows the kind of encryption notice received by firms after hackers have used ransomware to take files hostage and demand a ransom payment. (

Crippling a hospital's ability to treat patients also makes it a prime target for ransomware attacks, which tend to look for maximum payout as quickly as possible.

"In the case of health care, you've got potential lives at risk," says J. Paul Haynes, CEO of eSentire, a Cambridge, Ont.,-based security firm.

Law enforcement and cybersecurity experts typically advise against paying ransoms in malware cases. But the added urgency of a possible medical emergency can persuade hospitals to pay up rather than risk harm to their patients while waiting for the situation to be resolved.

They're also vulnerable to attacks because hospitals usually place expensive medical equipment above cybersecurity when it comes to budgeting, Haynes says.

"They're understaffed in IT and their priorities are around taking care of people. There will come a point in time where keeping the network operating at maximum efficiency will become as important as the medical technology to protect their patients."

Monetization of malware

The escalation in both the size of targets, as well as the size of the ransoms, follows a long trend in malware evolving from simple disruption to direct extortion and monetization.

Cybercriminals then moved on to stealing personal information that could be sold on the black market.

'There will come a point in time where keeping the network operating at maximum efficiency will become as important as the medical technology to protect their patients.' - J. Paul Haynes, CEO of eSentire

But as law enforcement agencies work harder to crack down on the movement of stolen data, criminals are increasingly turning toward extorting money directly from their targets instead of stealing the data and trying to find a buyer later on.

Ransomware operations have become so sophisticated that some hacker groups even have "customer service" departments to ensure the targets actually receive decryption codes once a ransom is paid.

It's all about "their brand, if you can think about it in these obtuse ways," Haynes sardonically explained. "If you pay the ransom and they don't give you the key, then no one's going to pay the ransom."

'Think before you click'

Ultimately, most experts say it all comes down to the person controlling the mouse and keyboard knowing who or what to trust when clicking through his or her inbox.

For both the Hollywood Presbyterian Medical Center and Lukas Hospital, experts say the ransomware was most likely unleashed by an employee unknowingly opening a malicious link in an email.

"Most people live with the false sense of security that their antivirus is going to protect them against [malware]. This is no longer the case," warns Sjouwerman. 

New strains of viruses and malware can slip through the filters before their next update cycle — usually every six hours or so, and just long enough to dupe someone who isn't paying attention.

"You need to think before you click. You are your own human firewall," Sjouwerman says. "As long as you blindly click on anything that sits in your inbox, you are an accident waiting to happen."