Is Russia-Linked Phobos Ransomware Group Responsible for Romanian Healthcare Disruption?

On the 12^th of February, the Romanian Digital National Security Center (DNSC) announced that an unidentified threat actor launched a massive ransomware attack against Romanian e-health solutions provider RSC, temporarily disrupting server connection to the Hipocrate (HIS) infrastructure. The attacker demanded a 3.5 BTC ransom.

Following the official investigation, we aim to prove that the attack on the facilities was deliberate, razor-focused on the hospitals with the highest digitalization level.

Facts and takeaways

Incident timeline

On the 12^th of February 2024, DNSC announced a massive ransomware attack that disrupted the activity of 100 Romanian medical facilities.

Per DNSC’s press announcement, 21 hospitals experienced total data encryption and denial of service.

The institutions reverted to pen-and-paper as the system was offline. Multiple endpoints belonging to the medical facilities in question reported seeded ransom notes with instructions about data recovery.

The ransom was set at 3.5 BTC (i.e., approximately $180.000).

Additional information regarding payment methods – outside of the currency specific in the note – has not been public.

Also, the Romanian authorities have yet to announce the type of data that was stolen.

However, RSC’s official user manual for the Hipocrate (HIS) can shed some light on this affair.

According to the documentation, the platform can be used to create, shape, and manipulate the following data types.

• General patient data.
• Pharmacy and Rp.
• Patient admittance.
• EMS data.
• Lab and blood work.
• Reporting and statistics.
• Health Insurance data.
• Finance & accounting.
• DRG (i.e., Diagnostic-related Group) data.

Total or even partial compromise of the databases mentioned above could give hackers access to financial information or intelligence that can be used to stage other evil actions.

Since BackMyData/Phobos operates under the RaaS (Ransomware-as-Service) mantle, the threat actors would have supplied several payment handles (probably Monero), a small ‘decryptable’ data sample to back up their claims, and a deadline.

Regarding the motivation behind the attack, Ryan Montgomery, ethical hacker and the co-founder of Pentester.com commented that:

The primary motivation is indeed financial. Hospitals represent lucrative targets because they often pay ransoms quickly to restore critical services.

But it’s not just about money. Cybercriminals are aware that hospitals, with their focus on patient care / safety, may have underinvested in cybersecurity, making them easier targets.

However, the sensitivity of patient data adds pressure to pay ransoms to prevent data breaches. It’s a combination of financial gain and the vulnerability of healthcare institutions.

The incident is currently under investigation.

When new information comes to light, we will update this article.

However, DNSC confirmed that although medical data was encrypted during the attack, the attackers didn’t manage to exfiltrate it to a malicious C2.

On the 16^th of February, DNSC published the following update.

The DNSC team published the updated list of IOCs, validated on 15.02.2024.

We highlight once more that it is vital to use the IOCs for scanning the IT&C infrastructure by all health entities, whether or not they have been affected by the Backmydata ransomware attack.

Source

Analysis

DNSC’s National CSIRT compartment confirmed that the medical institutions have been compromised by the Phobos ransomware strain.

Although Phobos is generally associated with Russia-backed black-hat hackers, the Romanian authorities have yet to confirm or deny this theory.

Still, considering that Phobos is a subscription-based service, we can assume that the attackers might very well be soldiers of fortune rather than a coordinated Russian cyber-attack.

The official position is that the attackers have successfully infiltrated and compromised the medical facilities by ‘wiretapping’ the Remote Desktop Protocol (RDP) sessions established between e-health solutions vendor RSC and the managed, victim-side servers.

This could be achieved via an RDP session hijacking. However, an attack technique involving vendor compromise may lead to the same results with less effort.

RDP-type aggressions are common in the Romanian threatscape.

Back in 2020, DNSC raised awareness over RDP and brute-force attacks, urging companies to take steps to prevent network compromise and subsequent forms of cyber-aggressions.

Attacks focused on RDP are not something new under the sun. Ryan Montgomery said that:

Despite official discouragements from some ransomware groups, hospitals remain high value targets. This trend is likely to continue through 2024 and beyond.

The patterns I’ve observed include exploiting vulnerabilities in outdated systems, phishing attacks targeting healthcare staff, and, as in this case, attacks via Remote Desktop Protocol (RDP).

Cybercriminals are opportunistic and evolve their methods based on what’s effective and will make them the most money.

Following the initial breach of RSC, the threat actors most likely to lure users into interacting with malicious content.

Here are a couple of phishing examples for reference.

Here are a couple of spearphishing examples for reference.

The list of affected medical units provided by DNSC reveals that the attack was not random.

Intel suggests that the attack was aimed to target and disrupt hospitals with the best industry classification.

For instance, the bulk of the attack was directed at the hospitals belonging to classification groups I and II.

Read more about classification

• Category II hospitals

• Category I hospitals

Upon securing access to the victim-side Hipocrate servers, the threat actors executed the following services, DLLs, and executables.

• AntiRecuvaDB.exe
• kprocesshacker.sys
• dControl.exe
• DotNetTools.dll
• ExtendedNotifications.dll
• ExtendedServices.dll
• ExtendedTools.dll
• HardwareDevices.dll
• hydra.exe
• NetworkTools.dll
• OnlineChecks.dll
• peview.exe
• ProcessHacker.exe
• pw-inspector.exe
• SbieSupport.dll
• ToolStatus.dll
• Updater.dll
• UserNotes.dll
• WindowExplorer.dll
• BulletsPassView64.exe
• BulletsPassView.exe
• ChromePass.exe
• Dialupass.exe
• iepv.exe
• mailpv.exe
• mimidrv_32.sys
• mimidrv.sys
• mimik_32.exe
• mimik.exe
• mimilib_32.dll
• mimilib.dll
• mimilove_32.exe
• mspass.exe
• netpass64.exe
• netpass.exe
• NetRouteView.exe
• OperaPassView.exe
• pars.vbs
• PasswordFox64.exe
• PasswordFox.exe
• pspv.exe
• PstPassword.exe
• rdpv.exe
• RouterPassView.exe
• SniffPass64.exe
• SniffPass.exe
• VNCPassView.exe
• WebBrowserPassView.exe
• WirelessKeyView64.exe
• WirelessKeyView.exe.

Following the file encryption phase, the attackers dropped the ransom note.

As in the case of most ransomware attacks, the threat actors omitted from encryption the files, executables, and dependencies that the victim must use in order to pay the ransom.

Mitigating Phobos Ransomware

You can mitigate Phobos Ransomware by following DNSC’s recommendations.

1. Download and save locally the “YARA-ScanDNSC-v101.zip” archive from the link above
2. Extract the archive in the desired folder
3. Run the “scanare-drive-C-backmydata.bat” script with administrator rights to start the scan (NOTE: Right-click on the script and select “Run as administrator”)
4. Optionally, if it is necessary and applicable, also run the script “scanare-drive-D-backmydata.bat“
5. Check the generated messages in the terminal and the .txtfile in the “Logs” directory
6. In case of malware files detected, please send the .txtfile to DNSC at alerts@dnsc.ro.

Source: DNSC

In addition, DNSC recommended that all institutions ascribe to these cybersecurity rules.

• Increased vigilance, which is the main asset available to an ordinary user at any time. Attention should be paid to verifying incoming emails, especially those containing suspicious attachments or links.
• Scan with a security solution installed on your device, or one available for free online, for suspicious links or attachments in your mailbox. Don’t forget to apply the updates to these security solutions on time
• Suspicious emails should be reported to the IT department for isolation and investigation. Periodically check the rules of your email account, which can be set for automatic forwarding of all messages, which could lead to a data leak if there is an infection.
• Emergency update of operating systems, antivirus software, web browsers, email customers and Office programs.
• Access to the network should be continuously monitored by those responsible in IT departments, thus it can be determined in a timely manner whether an infection with a malicious program has occurred.
• Create system restoration points and back-up files. It is recommended to periodically create such restoration points and back-up for important files using a portable or cloud storage medium. Thus, it is possible to return to an uninfected state of the system or quickly recover files in case of a successful infection or malfunction of the system.
• Regular training sessions with staff. They are necessary for both awareness/prevention and to know what to do in cases where cybersecurity incidents happen so that they are managed effectively.

Source: DNSC

Preventing Phobos Ransomware

You prevent Phobos Ransomware by…

Embracing Zero-Trust

Adopting a Zero-Trust model can severely decrease the incidence of unauthorized access, thus actively preventing breaches and ransomware attacks. Other benefits to adopting zero-trust include:

• Preventing Data Breaches: Zero-trust minimizes the risk of internal and external data breaches by verifying every user and device before granting access.
• Enhanced Security Posture: Implements stringent security measures, ensuring that only authenticated and authorized entities have access to critical resources.
• Adapting to Modern Threats: Keeps pace with evolving cyber threats by assuming no entity within or outside the network is trustworthy.
• Compliance and Regulation: Helps organizations comply with strict data protection regulations by enforcing rigorous access controls.
• Reduced Attack Surface: Limits potential points of compromise by granting minimal access necessary for specific tasks, reducing the overall attack surface.
• Flexibility and Scalability: Adapts to the changing needs of businesses, facilitating secure remote work and cloud integration.
• Building a Culture of Security: Encourages a company-wide security mindset, making cybersecurity a shared responsibility.

Use strong passwords.

Passwords serve as an initial barrier against cyberattacks. It’s vital that businesses enforce password policies to mandate robust passwords, that are tough to breach.

Cybercriminals can easily exploit weak passwords, employing automated tools to forcefully gain access to systems and networks.

A robust password typically includes a combination of upper- and lower-case letters, digits, and special characters.

Also…

To combat these threats, there needs to be a stronger collaboration between cybersecurity professionals and the healthcare sector.

This includes regular cybersecurity training for healthcare staff, implementing solid cybersecurity protocols, and investing in advanced security infrastructure that will notify immediately of employee data leaks & sensitive information.

Additionally, healthcare institutions should engage in regular penetration testing and vulnerability assessments, possibly collaborating with organizations that offer pen-testing services.

Rapid information sharing between healthcare institutions and cybersecurity experts is also crucial in responding to and mitigating the impact of these attacks.

Ryan Montgomery, Ethical Hacker and the Co-Founder of PenTester.com

Lessons learned and next steps

In a recent development within Romania’s healthcare sector, which is rapidly embracing digitalization, an unexpected cybersecurity incident has occurred.

The situation remains a puzzle as no group has yet claimed responsibility for the attack.

The method of the breach was sophisticated, involving the BackMyData ransomware, part of the Phobos family, with the suspected entry point being the RSC infrastructure’s website.

This incident stresses the need for better cybersecurity collaboration, regular training, rigorous protocols, and stronger cybersecurity measures in the healthcare sector to prevent future attacks.

If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.