Skip links

Romanian hospital ransomware crisis attributed to third-party breach

The Romanian national cybersecurity agency (DNSC) has pinned the outbreak of ransomware cases across the country’s hospitals to an incident at a service provider.

It said an unnamed service provider reported an issue prior to the flood of hospitals alerting the agency to the attacks.

The service provider operates the Hipocrate Information System (HIS) – a multipurpose healthcare management platform used by hospitals across the country. All hospitals caught up in the ransomware scourge are thought to have been breached via the HIS.

Per legal reporting obligations in Romania, service providers must inform the DNSC and national CSIRT of incidents that significantly impact the continuity of essential services.

“We are exactly in the scenario of the Backmydata/Phobos ransomware incident that affected dozens of hospitals in Romania,” the DNSC said today.

The scale of the ransomware emergency in Romania is bordering on the unbelievable as now more than 100 hospitals have been either disconnected from the internet or had their files encrypted.

The DNSC confirmed today that an additional hospital had its data encrypted, taking the total to 26. 

A further 79 healthcare units were preemptively disconnected from the internet on Monday hours after the first attacks were reported. They remain under investigation to see if any of them were also a target of the attack.

To put it into perspective, the number of affected healthcare centers has now surpassed the number of NHS trusts that were disrupted to some degree by 2017’s WannaCry attack.

The bulk of the attacks started in the late evening of February 11 and carried over into the early hours of the following day, the country’s Ministry of Health said. However, the first was detected at the Pitesti Pediatric Hospital on February 10.

One software company that is believed to be involved with running the app did not respond to our contact attempts. Its website also doesn’t appear to be functioning properly, displaying elements in a haphazard, non-stylized way.

The vast majority of the affected Romanian hospitals have recent backups available, the DNSC said, which is expected to enable relatively straightforward service restorations. One unnamed hospital, however, last backed up its data 12 days prior to the attack and could potentially face a more complex recovery.

Hospitals that use the Hipocrate platform have been issued with the following recommendations:

  • Identify affected systems and isolate them from the network and wider internet

  • Retain all materials received from the attackers, including the ransom note and any other communications. These will be used during investigations presumably after hospitals are restored to working order

  • Avoid shutting down any stems, since key evidence may be removed from RAM

  • Retain all logs for investigators’ use

  • Check those logs to see which systems may have been compromised

  • Immediately inform all staff, patients, and business partners of the situation

  • Attempt systems restoration from backups after a full cleanup has been carried out

  • Ensure all software is upgraded to the latest available versions

One oddity with the story is that the ransomware group is not known. Details left behind in the ransom note did not point to a specific group, which is unusual in modern attacks, and demanded 3.5 Bitcoin (around $180,000) as a ransom payment – a relatively low sum by current standards.

“The attackers’ message does not specify a group name claiming this attack, only an email address,” the DNSC confirmed on Tuesday. “Both the Directorate and other cybersecurity authorities involved in the analysis of this incident recommend that the attackers are not contacted and the requested ransom is not paid!”

The ransomware used was said to be called Backmydata, a variant of the Phobos ransomware family that’s been around for years under various guises and interactions.

Most recently a slightly modified version of Phobos was deployed by the 8Base ransomware group, although it should be said that 8Base has not claimed nor been attributed to the attacks in Romania. ®