Major ransomware attack knocks Romanian hospitals offline
A large-scale cyberattack targeted hospitals across Romania, crippling their health care management systems and forcing them to resort to pen and paper for record-keeping, with the attackers demanding $175,000 worth of Bitcoin as ransom
IN A distressing turn of events, Romania has been grappling with a significant cybersecurity breach that has severely impacted its health care infrastructure. Hospitals throughout the country in the recent days fell victim to a large-scale ransomware attack, resulting in the paralysis of the health care management systems.
The onslaught targeted the widely used Hipocrate Information System (HIS), affecting more than 25 hospitals nationwide, according to reports from SecurityWeek.
The cybercriminals behind the attack dropped the Backmydata malware, a relative of the Phobos ransomware family, encrypting data across the compromised facilities and causing the entire health care system to go offline.
The Romanian National Cyber Security Directorate (DNSC) revealed that the assailants initiated their assault on Feb. 10, encrypting data at a children’s hospital initially before expanding their targets to include additional medical facilities between Feb. 11-12.
LOSS OF DATA
The ramifications of the attack were profound, with 100 hospitals resorting to manual record-keeping using pen and paper in the absence of functioning digital systems.
Furthermore, the DNSC confirmed that the internet connections of 74 health care facilities linked to the HIS system were severed, prompting ongoing investigations to determine the extent of the impact on these institutions.
While most affected hospitals possess recent backups, facilitating the restoration of systems, one facility faces a dire situation as its backups do not include data from the last 12 days.
The cybercriminals demanded a ransom of 3.5 Bitcoins (approximately $175,000). But authorities cautioned against engaging in any contact with attackers or making payments.
In response to the crisis, the DNSC has issued directives to all affected hospitals, urging them to isolate compromised systems, preserve ransom notes and system logs, investigate logs to identify entry points, keep affected systems operational for evidence retrieval and inform all relevant stakeholders promptly.
A cancer treatment institution disclosed that all servers were shut down, and internet connections severed on Monday to prevent data leakage.
The modus operandi of the Backmydata ransomware involves perpetuating persistent activity on infected systems, bypassing security firewalls, deleting shadow copies of data, encrypting information and potentially exfiltrating data externally.
Per the ransom notes left behind, cybercriminals claim to have pilfered sensitive data, which they threaten to sell if the ransom remains unpaid, providing victims with an email address for communication purposes.