Romanian hospitals are on heightened alert since late last week, when the authorities told doctors and hospital administrators to be vigilant after a wave of cyber attacks against several medical centres.
Romania’s Ministry of Health says hackers targeted nine hospitals in Bucharest and other towns in recent weeks. “Some hospitals have had problems with admissions and with access to their databases,” the ministry’s spokesperson, Oana Grigore said.
“They are criminal attacks,” Ovidiu Marincea, from the Romanian Intelligence Service, SRI, told BIRN. “They were conducted by hackers to gain money.”
“After encrypting the institutions’ data, they demand a ransom, which can be paid in money into an account or in cryptocurrency or any other way,” Marincea explained. “If those who are targeted pay up, the hackers tell them their data will be decrypted.”
The SRI, whose investigation into the attacks is still underway, believes the criminals behind the attacks are from China. Marincea previously told local media that “the times in which the hackers were active” and the traces they left in their messages to their victims pointed to that scenario.
One of the targeted hospitals is the Dimitrie Castroian Municipal Hospital of Husi, in northeastern Romania. Its manager, Lucia Rotaru, told the media last week that the centre had lost part of its data.
“On April 21, the server was attacked and encrypted. The data was lost. We haven’t fully solved [the problem] yet,” he said. The attack took the hospital by surprise, Rotaru added, saying the hospital could not repel it despite having “a security system in place”.
The Romanian National Computer Security Incident Response Team, CERT-RO, the SRI and a private cybersecurity company, Bitdefender, have issued advice to hospitals to help them deal with further attacks.
“Don’t open files received via email unless you know the sender,” the advice reads. It warns against “irresistible promotions” in emails and recommends having all files backed up offline and an antivirus program installed. The Ministry of Health has sent the advice to all medical units in the country.
With more than 500 million users worldwide, Romanian anti-virus developer Bitdefender is one of the sector’s leaders. It collaborates with the Romanian authorities and with Interpol in preventing and investigating malware attacks.
Security agencies and private cyber companies warned earlier of the country’s vulnerability on the internet. In April, the National Cyberint Center, which is part of the SRI, warned of possible cyberattacks on the IT systems of public institutions during the EU and presidential elections this year.
Bitdefender said that Romania could be the most vulnerable country in the world to a new type of cyber attack, called Scranos, which steals all of the victims’ passwords and banking info and compromises their activity on social media.
The international cybersecurity company Kaspersky said the attacks on hospitals in Romania form part of an alarming global trend. There have been similar cases in the US and Germany.
Attacks on medical institutions and other institutions are often launched through “phishing” messages or messages containing infected attachments.
“They pretend to come from a legitimate source and encourage the victim to open a link or attachment,” Bitdefender’s senior e-threat analyst, Liviu Arsene, told BIRN.
The content of the messages are tailored specifically to entice the victim, he explained, and take into consideration the industry the person is working and even their department within the institution.
If sent to a human resources worker, for example, the email might come as a job application, and the ransomware be disguised as the candidate’s CV, Arsene noted.
The virus can also be installed on the computer after the hackers take control of it remotely. In both cases, the procedure is the same. “The victim sees a message on the screen with all the instructions he needs: how much the ransom is and how much it will grow by if he doesn’t pay within 24 or 72 hours, where he should buy the cryptocurrency from…” the same expert said.
Sometimes, he continued, those affected are instructed to start negotiations with the hacker at an email address. “The data doesn’t leave the computer. It remains on it, only you can’t access it,” Arsene said, explaining how ransomware works.
When the ransomware used has a vermin-type of behaviour, the malicious virus doesn’t only infect one computer but the whole system. “It can paralyze an entire hospital,” warns Arsene, who names patient data and the information needed to keep medical equipment working as some of the material that is vulnerable.
“The hacker’s goal is to create panic so they can convince the victim to pay,” the Bitdefender analyst said.
In line with the Romanian authorities, Bitdefender discourages targeted victims from paying ransoms to hackers. But the institutions targeted do not always listen to them. Desperate to have their systems back on track fast, some decide to pay up, as one Bucharest hospital did two years ago. “They paid the equivalent of 10,000 euros in Bitcoin,” Arsene recalled.
“If they pay a ransom, the victims have no guarantee that the perpetrators will honour their promise and give them back access to their data,” a CERT-RO statement on the latest wave of attacks read.
“They could be targeted again by the same group, as they already have a history of being a good payer,” the same text warned. Ransom payers thereby risk funding “the development of increasingly sophisticated cybernetic threats”, it concluded.
Bitdefender experts and Romanian authorities have revealed ransomware Maoloa has been used in some of the attacks against hospitals.
“Maoloa is a malware family relatively new,” a CERT-RO statement reads. This kind of ransomware appeared in February this year and has many common traits with Globelmposter type of ransomware, the official communications goes on. It is installed in computers through malicious attachments sent via email or by hackers who gain access to unprotected systems.
The other ransomware used to encrypt data from Romanian medical centres’ computers is Phobos, “one of the many varieties of prolific [ransomware] family Crysys.” Phobos gets makes it into the targeted computers after cyber criminals have breached in with Remote Desktop Protocol.