The National Cyber ​​Security Agency (DNSC) on Wednesday revealed the identity of the company targeted by hackers, which sells the Hippocrates (aka HIS) IT system supplied to 26 hospitals.

“On the night of February 11-12, 2024, a ransomware-type cyber attack occurred on the Romanian software company (RSC) www.rsc.ro, which develops, administers and sells the Hipocrate IT system (also known as HIS). According to DNSC data, the attack disrupted the activities of 26 hospitals in Romania that use the Hippocrates IT system,” the statement on the institution’s website reads.

The malware used in the attack is the Backmydata ransomware, DNSC said, which is part of the Phobos malware family, known for spreading via Remote Desktop Protocol (RDP) connections.

Backmydata is designed to encrypt the target’s files using a sophisticated algorithm. Encrypted files are renamed with the extension .backmydata. After encryption, the malware sends two ransom notes (info.hta and info.txt) that detail how to contact the attackers and provide details to pay the ransom.

DNSC recommends that no one pay ransom to attackers!

• On the same topic: Another hospital that suffered from a cyberattack: the server of the hospital for chronic diseases in Smena was encrypted. Why did it only come out after 2 days

The attackers demanded a ransom of 157,000 euros

DNSC announced a day ago that there is also a ransom (ransom) demand of 3.5 BTC (about 157,000 EUR).

The attackers’ message did not specify the name of the group responsible for this attack, but only an email address. Both DNSC and other cyber security agencies involved in the investigation of this incident advise NOT to contact the attackers and NOT pay the requested ransom.

Hospitals using the Hippocrates platform, whether affected or not, received a series of recommendations from the DNSC as recently as Monday 12 February on how to properly address the situation:

• Identify affected systems and immediately isolate them from the rest of the network and the Internet

• Keeping a copy of the ransom note and any other messages from the attackers. This information is useful for authorities or for further analysis of the attack

• Do not turn off damaged equipment. Shutting down will delete evidence stored in non-volatile memory (RAM)

• Collect and store all necessary log information from damaged equipment, as well as from network equipment, firewall

• Examine system logs to determine the mechanism by which the IT infrastructure was compromised

• Notify all employees immediately and notify affected customers and business partners of the incident and its scope

• Restore affected systems from data backups after a complete system cleanup. It is absolutely necessary to ensure that backups are complete, up-to-date and secure from attacks

• Ensure that all programs, applications and operating systems are updated to the latest versions and that all known vulnerabilities are patched

21 hospitals were affected by Monday’s cyber attack. Pitesti Pediatric Hospital is affected starting Saturday, February 10, 2024. Other hospitals are affected starting February 11-12, 2024:

• Buzeu District Emergency Hospital

• Slobozhansk District Emergency Hospital

• “St. Apostol Andrey” Konstanz District Emergency Hospital.

• Pitesti District Emergency Hospital

• “Dr. Alexander Hafenk” Military Emergency Hospital, Konstanz

• Institute of Cardiovascular Diseases of Timisoara

• District emergency hospital “Dr. Kostyantyn Oprysh” Baia-Mare

• Sighetu Marmaciei City Hospital

• Tirgovishte District Emergency Hospital

• Coltea Clinical Hospital

• Mezhidi city hospital

• Fundeni Clinical Institute

• Oncology Institute “Prof. Dr. Al. Trestioreanu” Bucharest (IOB)

• Regional Institute of Oncology Iasi (IRO Iasi)

• Azuga Orthopedics and Traumatology Hospital

• Băicoi City Hospital

• Emergency Clinical Hospital for Plastic Surgery, Repair and Burns Bucharest

• St. Luke’s Hospital for Chronic Diseases

• MV Clinical Hospital No. 2 Bucharest

• MALP SRL Moinești Medical Center

According to the DNSC, the other 79 units of the health care system have been disconnected from the Internet and are being investigated further to determine whether (or not) they were the target of the attack.

Most of the affected hospitals have backup copies of data from the affected servers, the data was saved relatively recently (1-2-3 days ago), except for one, whose data was saved 12 days ago. This can make it easier to restore services and data.

DIICOT conducts research in rem

DIICOT announces that it is investigating illegal access to the system, malfunctioning of computer systems and illegal operations with programs or computer devices in the case of a cyber attack that affected the activities of several hospitals in Bucharest and in the country. on Monday. The investigation was launched after the notification of two commercial companies that provide services for the maintenance of the integrated IT system of public hospitals.

• “On 12.02.2024, two commercial companies that provide services for the maintenance of the integrated IT system of public hospitals in Romania informed the Office for the Investigation of Organized Crime and Terrorism that on February 11 and 12, 2024, “unidentified persons attacked the integrated computer system and hardware infrastructure with the help of a ransomware-type virus, which led to the blocking of this system and communications of any kind, as well as limiting access to computer databases,” DIICOT reported, according to News.ro. .

In the established procedure, criminal proceedings are conducted based on the fact of committing crimes of illegal access to the system, disruption of computer systems and illegal operations with computer programs or devices.

Photo source: 8vfand,Dreamstime.com