The National Cyber ​​Security Agency was notified on Wednesday that the server running the Hippocrates app for the Smeeni Chronic Disease Hospital was encrypted with the same variant of the ransomware. DNSC says the infection occurred around the same time (12/02/2024) that similar servers at other hospitals were affectedbut the power outage at that hospital prevented this incident from being detected and reported.

Ransomware is malicious software (malware) that blocks access to files or even the entire infected computer system until a “reward” (ransom) is paid.

• “By chance, the hospital had a power outage, which prevented it from detecting that the server was affected. In this case, steps are being taken to fix the problem and restore the data from the backup,” DNSC said on Wednesday.

The Directorate reminds that according to Law 362/2018, operators of essential services are required to immediately notify DNSC, as the national CSIRT, of incidents that have a significant impact on the continuity of essential services.

Immediate notification of the deterioration of essential services is also carried out in the situation where the breach is related to incidents affecting a digital service provider on which the provision of essential services depends.

• “We are following the exact scenario of the Backmydata/Phobos ransomware incident that affected dozens of hospitals in Romania. The service provider managing the HIPOCRATE program notified DNSC after becoming aware of the incident prior to any official notification from the hospitals,” DNSC said.

The agency also developed a patch for the impact of the Backmydata/Phobos ransomware cyber incident

“On February 13, the Sante Călărași clinic was mistakenly included in the list of organizations affected by a ransomware attack. This information has been updated in previous messages from the Office. In this case, the victim is actually the Santa Clinic Mitreni (Călăraşi). We apologize for this inaccuracy,” DNSC said.

Therefore, a day ago, a security incident was confirmed in 4 more hospitals, respectively:

• Institute of speech therapy and ENT-functional surgery “Prof. Dr. D. Hociotă”, Bucharest
• Pneumophthisia sanatorium of Breda, Hunedoara
• Rosiori de Vede pneumophysiological hospital
• Santa Clinic Mitreni Medical Center

The attackers demanded a ransom of 157,000 euros

DNSC announced a day ago that there is also a redemption (redemption) demand of 3.5 BTC (about €157,000).

The attackers’ message did not specify the name of the group responsible for this attack, but only an email address. Both DNSC and other cyber security agencies involved in the investigation of this incident advise NOT to contact the attackers and NOT pay the requested ransom.

Hospitals using the Hippocrates platform, whether affected or not, received a series of recommendations from the DNSC as recently as Monday 12 February on how to properly address the situation:

• Identification of affected systems and their immediate isolation from the rest of the network, as well as from the Internet

• Keeping a copy of the ransom note and any other messages from the attackers. This information is useful for authorities or for further analysis of the attack

• Do not turn off damaged equipment. Shutting down will delete evidence stored in non-volatile memory (RAM)

• Collect and store all necessary log information from damaged equipment, as well as from network equipment, firewall

• Examine system logs to determine the mechanism by which the IT infrastructure was compromised

• Notify all employees immediately and notify affected customers and business partners of the incident and its scope

• Restore affected systems from data backups after a complete system cleanup. It is absolutely necessary to ensure that backups are complete, up-to-date and secure from attacks

• Ensure that all programs, applications and operating systems are updated to the latest versions and that all known vulnerabilities are patched

21 hospitals were affected by Monday’s cyber attack. Pitesti Pediatric Hospital is affected starting Saturday, February 10, 2024. Other hospitals are affected starting February 11-12, 2024:

• Buzeu District Emergency Hospital

• Slobozhansk District Emergency Hospital

• “St. Apostol Andrey” Konstanz District Emergency Hospital.

• Pitesti District Emergency Hospital

• “Dr. Alexander Hafenk” Military Emergency Hospital, Konstanz

• Institute of Cardiovascular Diseases of Timisoara

• District emergency hospital “Dr. Kostyantyn Oprysh” Baia-Mare

• Sighetu Marmaciei City Hospital

• Tirgovishte District Emergency Hospital

• Coltea Clinical Hospital

• Mezhidi city hospital

• Fundeni Clinical Institute

• Oncology Institute “Prof. Dr. Al. Trestioreanu” Bucharest (IOB)

• Regional Institute of Oncology Iasi (IRO Iasi)

• Azuga Orthopedics and Traumatology Hospital

• Băicoi City Hospital

• Emergency Clinical Hospital for Plastic Surgery, Repair and Burns Bucharest

• St. Luke’s Hospital for Chronic Diseases

• MV Clinical Hospital No. 2 Bucharest

• MALP SRL Moinești Medical Center

According to the DNSC, the other 79 units of the health care system have been disconnected from the Internet and are being investigated further to determine whether (or not) they were the target of the attack.

Most of the affected hospitals have backup copies of data from the affected servers, the data was saved relatively recently (1-2-3 days ago), except for one, whose data was saved 12 days ago. This can make it easier to restore services and data.

DIICOT conducts research in rem

DIICOT announces that it is investigating illegal access to the system, disruption of IT systems and illegal operations with IT programs or devices in the case of a cyber attack that affected the operations of several hospitals in Bucharest and in the country. on Monday. The investigation was launched after the notification of two commercial companies that provide services for the maintenance of the integrated IT system of public hospitals.

• “On 12.02.2024, two commercial companies that provide services for the maintenance of the integrated IT system of public hospitals in Romania informed the Office for the Investigation of Organized Crime and Terrorism that on February 11 and 12, 2024, “unidentified persons attacked the integrated computer system and hardware infrastructure with the help of a ransomware-type virus, which led to the blocking of this system and communications of any kind, as well as limiting access to computer databases,” DIICOT said, according to News.ro. .

In the established procedure, criminal proceedings are conducted based on the fact of committing crimes of illegal access to the system, disruption of computer systems and illegal operations with computer programs or devices.

Photo source: Dreamstime.com