A ransomware attack targeted Witting Clinical Hospital in Bucharest. Hackers took control of the healthcare provider’s servers, encrypted the data, and demanded a ransom in Bitcoin in exchange for a decryption tool.
SRI (Romanian Intelligence Service) announced that the attack is similar to the ones in 2019 targeting other hospitals in Romania.
Consequences of the Ransomware Attack
Following the attack, the hospital was forced to operate offline for 35 hours, and doctors had to fill in patients’ records on paper.
However, with the help of the national cybersecurity center and SRI experts, the data was recovered entirely, without the ransom being paid to the cyberpirates.
The purpose of the ransomware attack appears to be stealing the networks and treatment schedules. After obtaining such information, hackers then sell it online. Patients’ records are also at stake, exposed to extortionists.
“There are no lost files, including the last file we had, and it’s alright. Files were written manually, but there weren’t many of them. We’re talking one day. Discharges, hospitalizations were done manuall. We let health insurance know that we couldn’t validate them electronically”.Cristian Banu, Witting Hospital Manager
SRI representatives stated that they had investigated the ransomware attack in collaboration with CERT-RO (Romanian National Cyber Security and Incident Response Team) and Clinical Hospital No.1 CF Wittig.
“After encrypting the data, attackers demanded a ransom payment to decrypt it, a payment that the affected institution never made. However, the hospital’s current operations were not disrupted, the use of offline registers having ensured continuity.”SRI
The latest ransomware attack is similar to the one that hit four other hospitals in Romania in the summer of 2019.
According to SRI, the ransomware used was PHOBOS, and the attackers exploited the fact that the hospital’s IT infrastructures were not protected by an antivirus software solution.
PHOBOS ransomware is of medium complexity, using Remote Desktop Protocol connections to spread and infect networks.
Phobos was first observed on October 21st, 2017. At the end of 2018, it began to spread actively again.
Over the course of December 2018 and February 2019, hackers released numerous new variants, which use different emails, including:
2019 came with even more news about Phobos virus because the ransomware started exploiting weak security to attack users all over the world. It also targets businesses and large companies since these attacks ensure bigger profit from a single victim.
Recommendations Against Ransomware Attacks
Since the beginning of the COVID-19 pandemic in 2020, CERT-RO and cybersecurity experts from the Cyber Volunteers 19 – Romania group have carried out joint warning and cybersecurity awareness campaigns dedicated to healthcare providers in the country. The main purpose of this initiative is to prevent, identify and properly address potential IT vulnerabilities of medical units before it is too late.
The recommendations provided in this approach to support the medical environment are sometimes applied quickly and appropriately. But in other cases, for various reasons, the necessary security measures are not applied in time.
In order to prevent ransomware attacks, the experts of ATTACK Simulator, CERT-RO and CYBERINT recommend the immediate implementation of security policies and measures such as:
- Using an updated antivirus solution;
- Disable RDP service on all stations and servers in the network;
- Update operating systems and all applications used;
- Frequent change of passwords of all users, respecting the recommendations of complexity;
- Periodic verification of all registered users, to identify new users, added illegally;
- Backing up critical data on offline data carriers;
- Keep encrypted data in the event that a decryption application may appear in the online environment;
- Continuous cybersecurity training of employees;
- Ensure your employees are aware of the dangerous implications cyberattacks can have;
- Special training for managers on how to quickly and efficiently respond to these types of cyberattacks.
As online dangers never stop evolving, and chances are they could target your company next, why postpone training and educating your employees on cybersecurity?