Utrasound modern machine showing ransomware attack on Romanian hospitals

Ransomware Attack Disrupts Over 100 Romanian Hospitals, Including Cancer and Pediatric Centers

A massive ransomware attack has disrupted operations in multiple Romanian hospitals after encrypting databases and files. It targeted the Hipocrate Information System (HIS), an integrated healthcare management system sold by Romanian Soft Company (RSC).

A significant portion of the Romanian healthcare system, including pediatric and oncology centers, was impacted, forcing staff to resort to manual systems to admit patients and record treatments.

Backmydata ransomware attack impacted over 100 Romanian hospitals

Initially detected at Pitesti Pediatric Hospital on February 10, The ransomware attack impacted over 100 hospitals in Romania, encrypting 26 and forcing 79 to pull their systems offline to contain the infection. An analysis of the Romanian healthcare system estimated that the country has about 543 hospitals nationwide.

“During the night of 11-12 February 2024, a massive ransomware cyber-attack targeted the production servers running the HIS information system,” said the Romanian Ministry of Health. “As a result of the attack, the system is down, files and databases are encrypted.”

RSC notified DNSC before notifying impacted hospitals to comply with a reporting rule requiring vendors of digital products to report cyber incidents that could impact the availability of essential services.

Meanwhile, regulatory and security authorities are investigating the ransomware attack to determine its nature and scope. They advised impacted Romanian hospitals to take additional measures to limit the impact of the cyber incident.

“The incident is under investigation by IT specialists, including cybersecurity experts from the National Cyber Security Directorate (DNSC), and the possibilities for recovery are being assessed. Exceptional precautionary measures have also been activated for the other hospitals not affected by the attack,” said DNSC.

On February 13, DNSC disclosed that no evidence suggests the ransomware attack involved data exfiltration.

Meanwhile, the Romanian national cyber security agency advised the victims against paying the ransom. It recommended restoration of the impacted systems from backups after total cleanup and updating applications and operating systems.

Most impacted Romanian hospitals have fresh backups dated as recently as three days before the ransomware attack, except one whose last backup was 12 days ago. DNSC warned that paying the ransom does not guarantee data recovery and encourages cybercriminals to launch more attacks.

“This ransomware attack highlights the extreme vulnerability of healthcare organizations using interconnected systems to manage data,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Hospitals can’t afford downtime and are therefore viewed as more likely to pay ransomware demands, making them an appealing target for ransomware groups.”

Backmydata ransomware was involved

The threat actor employed Backmydata, a Phobos ransomware family variant, to encrypt the Romanian hospitals. They demanded 3.5 BTC (roughly $170,000) for the decryption key and to avoid selling or leaking confidential information.

Backmydata ransomware targets Remote Desktop Protocol (RDP) vulnerabilities, including weak credentials. Upon gaining a foothold, Backmydata establishes persistence, disables firewalls, encrypts, and exfiltrates data. It also deletes backups to prevent victims from restoring their systems without paying the ransom.

Authorities and security experts have not attributed the ransomware attack on Romanian hospitals to any cyber gang.

While 8Base ransomware was known to deploy Backmydata ransomware, the group has not taken responsibility for the cyber attack on Romanian hospitals.

The attack vector exploited during the ransomware attack remains undetermined at the moment. However, DNSC has released the Backmydata indicators of compromise (IoC) and advised hospitals to scan their infrastructure using the YARA scanning script.

“Shifting from a reactive to a proactive approach is key,” said Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ. “By simulating real-world attacks using the common tactics, techniques, and procedures (TTPs) used by ransomware groups, organizations can continuously test their security defenses against these evolving threats to uncover any weak spots.”

The ransomware attack is the third cyber incident on the Romanian healthcare center using Phobos malware after similar attacks in 2019 and 2021. It is also one of the largest recorded anywhere involving Backmydata ransomware.

“A bad time for the Healthcare sector, indeed,” said Darren Williams, CEO and Founder of Blackfog. “Following recent reports that the data of 33m people was stolen in France as a result of the Viamedis phishing attack, Romania is the latest victim of cybercriminals targeting the sector to access valuable data for monetary gain.”