Ransomware hits Romanian hospitals, disrupts operations

The Romanian national cybersecurity and incident response team cautioned that no money should be paid to the ransomware hackers.
By Leontina Postelnicu
01:25 PM

At least four hospitals in Romania were hit by ransomware last week in attacks the Romanian Intelligence Service said it suspected were launched by Chinese hackers.

The agency, known as SRI, told Healthcare IT News that a team from the National Cyberint Centre – SRI's cyberintelligence centre – was asked to go to Victor Babeș, an infectious and tropical disease hospital in Bucharest, the capital, to "pick up hard disks and evaluate the attacks" on 20 June.

Details are unclear, but three other facilities are also said to have been affected: a hospital in Huși, Vaslui county, in eastern Romania, one in Dorohoi, Botoșani county, also in the eastern part of the country, and one in Câmpeni, Alba county, in Transylvania.

In a statement from last week, the SRI said:

"Preliminary analysis indicates that installing any antivirus recognised in the industry is enough to stop the infection. Most likely, the infection is based on social engineering (tricking the user) and not the exploitation of a vulnerability (weakness) of the system. The ransomware is not of high complexity, it can be detected by any classic antivirus product."

A spokesperson told Healthcare IT News on 27 June that they were unable to reveal additional information due to an ongoing investigation.

WHAT HAPPENED
"The National Cyberint Centre suspect that the attackers are of Chinese origin," the SRI said on 21 June. "The hours when the Chinese hackers were active and the clues left in the messages asking for ransom were taken into consideration. We cannot offer more details at this time."

Experts believe the ransomware spread through emails with infected attachments disguised as invoices and plane tickets, Cătălin Aramă, director general of CERT-RO, the Romanian national cybersecurity and incident response team, told broadcaster Digi24.

A further investigation carried out by specialists from CERT-RO, Cyberint and Bitdefender indicated that the hospitals were attacked with Maoloa and Phobos malware, according to information released by CERT-RO.

"Maoloa is part of a relatively new malware family in the informatics threats landscape," it explained. "Appearing in February 2019, Maoloa is inspired by a family of ransomware called GlobeImposter, with which it shares a lot of common characteristics.

"Maoloa spreads through emails with infected attachments, as well as through hackers that access unprotected Remote Desktop Protocol instances. Once the system is infected, Maoloa encrypts files created with the Office suite, OpenOffice, PDF documents, text files, databases and multimedia files."

About Phobos, it said: "The Phobos ransomware is one of many variants of the prolific Crysys family. Phobos mainly spreads through manual infections that hackers initiate after breaching the organisation through exposed instances of Remote Desktop Protocol.

"After documents are encrypted, the victim is asked to send a message to an anonymous email address to establish the price for decryption, price that varies according to the profile of the company and the estimated turnover."

WHY IT MATTERS
Health minister Sorina Pintea told journalists that a criminal complaint would be filed with the Romanian Directorate for Investigating Organised Crime and Terrorism.

Pintea said the attacks had disrupted operations, slowing down admissions and discharges, and that similar attacks had targeted hospitals in Romania in the past. The minister said €10,000 was paid to recover data after a cyberattack at the Sighetu Marmaţiei municipal hospital in Maramureș in 2017.

However, Dunca Daniel-Radu, now manager of this facility, told Romanian broadcaster b1 that the hospital did not pay any ransom. He added that it was unclear whether the security firm helping them recover after the incident paid the sum mentioned by Pintea.

THE LARGER TREND
In the wake of the cyberattacks, CERT-RO emphasised that organisations should not cave into the demands of the ransomware hackers.

This week, the BBC reported that aluminium company Norsk Hydro refused to pay the ransom requested by cybercriminals after taking 22,000 computers offline, and have already spent £45m to restore operations.

CERT-RO and the Ministry of Health did not respond to a request for comment in time for publication.