In yet another reported crypto ransomware attack, patients are set to be in peril in various hospitals across Romania. Disclosing the incident, it is said that over a hundred healthcare infrastructures, were compromised resulting to a ransomware demand from the threat actors.
A reference to the initial press release reported 10:00 a.m. today, DNSC Romania notified the general public saying:
"National Directorate of Cyber Security (DNSC) was notified today of a ransomware cyber attack on a service provider for several hospitals in Romania. Currently, a team of DNSC specialists has traveled to the scene to investigate the cyber incident. Several hospitals are affected by the attack."
The ransomware attack which impacted the critical infrastructures of the various clinical organizations in Romania certainly left admitted patients in a bizarre state. It was reported on Monday (12th-February-2024), that the attack which targeted a wide range of medical information systems, left doctors, and staff reverting back to the analog days of pen and paper to document patients diagnosis, as all computer systems were sent offline due to the incident.
Translating the press release on the official website of DNSC Romania, the Smeeni Hospital disclosed that:
"Today we were notified that the server on which the HIPOCRATE application was running for Smeeni Chronic Disease Hospital was encrypted with the same range of ransomware. The infection occurred during the same period (12.02.2024) in which similar servers from other entities in the health sector were affected. Coincidence causes the hospital to suffer a power outage that prevented the finding that server was affected. In this case, measures are taken to remedy the problem and restore the backup data."
Certainly, in a bid to curb the situation, the Romanian cyber security team, took swift actions to respond to the incident. They also stated that a recent backup of the various clinical organization data, contributed to reducing the impact of the breach.
The Incident and Its Impact on various Hospital IT Platforms:
In retrospect to various ransomware attack, and demands from threat actors, the same blueprints were noticed on the incident that impacted the various hospitals IT platforms in Romania.
First occurrence of the ransomware attack, and its impact, had over 25 facilities compromised, resulting to their data being encrypted. The malicious actors, then made a demand in tune of $170,000 USD, an equivalence of 3.5-bitcoin, from the impacted organization, in order release the decryption keys, to the list of compromised healthcare facilities.
An official statement from the Romanian National Cyber Security Directorate in translation also attest to this, narrating that:
"There is a ransom (redemption) request of 3.5 BTC (approximately 157,000 EURO). The attackers' message does not specify a grouping name that claims this attack, but only an e-mail address. Both the Directorate and other authorities with responsibilities in the field of cyber security involved in the analysis of this incident RECOMMENDS NOT to contact the attackers and not to pay the required redemption!"
Investigating the incident, the entry point of the attack uncovered the use of a ransomware application known as Backmydata, which specifically targeted HIPOCRATE platform. The Backmydata ransomware application, is said to be a virus associated with the Phobos ransomware family, and is responsible for encrypting the data of the various hospitals that were impacted in Romania.
Affected Hospitals and Facilities:
DNSC Romania further made it known to the public that an additional number of four hospitals, have been added to the list of compromised healthcare facilities. These hospitals are:
- Institute of Phonoaudiology and Functional Surgery ENT „ Prof. Dr. D. Hociota ”, Bucharest.
- Pneumoftiziology Sanatorium Brad, Hunedoara.
- Roșiorii de Vede Pneumoftiziology Hospital
- Santa Clinic Mitreni Medical Center
More information and data from DNSC Romania also identified a list of 79 healthcare systems, 21-health clinics in total were impacted in the cyber incident. Most of the healthcare systems said to have been found in the bizarre compromise, have backups of their data on the list of affected servers, with data recently saved between (1-3 days), and one of the clinics data reported to be backed up 12-days earlier before the incident.
DNSC Romania said:
"This could make it easier to restore services and data."
Mitigative steps put in place:
A few safety measures were listed by DNSC Romania, as mitigative steps that is applicable to organizations compromised, and yet to be compromised. These steps includes:
- Identifying and isolating affected systems immediately from the rest of the networks.
- Any form of redemption messages, and communication between the threat actors, and the organization are to be kept. As these serves as a potent evidence, for further analysis and investigation by DNSC Romania.
- If a system has been compromised, organizations should not resist or stop the systems, as these will retain evidence in the volatile memory (RAM), useful for further investigations.
- Organizations are advised to retrieve and retain all relevant logs and information from the compromised system and equipment, in addition to those of the organization’s firewall and network infrastructure.
- Systems logs are to be examined to identify the entry point, and cyber-kill chain by which the IT infrastructure was compromised.
- All Employees are to be alerted. Customers, and business partners likely to be affected, are to be notified, in conjunction with the level of impact.
- All systems likely to be affected, are to be restored referencing the restoration point to the systems backup data.
- Systems are to be kept clean, and upon completion the data’s are to be scrutinized from being infected, up-to-date, and properly secured against future attacks.
- All systems, applications, and operating systems are to be up to date, and all known vulnerabilities effectively patched.
On subsequent discoveries, and further security measures, DNSC Romania web article which was translated, stated that:
"We will return with details as we obtain more information about the affected entities. We recommend that hospital IT teams not be contacted so that they can focus on restoring IT and data services! This is the priority at the moment."
The ransomware attack is in no doubt sticking for a longtime, as these threat actors have enough skills and arsenals up their sleeves. Fixitgearware is therefore advising security personnel’s, and organization’s staffs alike to be very cautions, and ensure that their systems and hardware’s are regularly updated, as soon as patches are released.
In addition, defense in-depth, strong and efficient anti-malware, anti-viruses are to be installed, on their various components housing all data’s and sensitive information’s. This will serve as an Achilles heels safety measures. Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.