Heimdal Security Blog

Is Russia-Linked Phobos Ransomware Group Responsible for Romanian Healthcare Disruption?

  • Vladimir Unterfingher

    • On the 12th of February, the Romanian Digital National Security Center (DNSC) announced that an unidentified threat actor launched a massive ransomware attack against Romanian e-health solutions provider RSC, temporarily disrupting server connection to the Hipocrate (HIS) infrastructure. The attacker demanded a 3.5 BTC ransom.

    Following the official investigation, we aim to prove that the attack on the facilities was deliberate, razor-focused on the hospitals with the highest digitalization level.

    Facts and takeaways

    Incident timeline

    On the 12th of February 2024, DNSC announced a massive ransomware attack that disrupted the activity of 100 Romanian medical facilities.

    Per DNSC’s press announcement, 21 hospitals experienced total data encryption and denial of service.

    The institutions reverted to pen-and-paper as the system was offline. Multiple endpoints belonging to the medical facilities in question reported seeded ransom notes with instructions about data recovery.

    The ransom was set at 3.5 BTC (i.e., approximately $180.000).

    Additional information regarding payment methods – outside of the currency specific in the note – has not been public.

    Also, the Romanian authorities have yet to announce the type of data that was stolen.

    However, RSC’s official user manual for the Hipocrate (HIS) can shed some light on this affair.

    According to the documentation, the platform can be used to create, shape, and manipulate the following data types.

    Total or even partial compromise of the databases mentioned above could give hackers access to financial information or intelligence that can be used to stage other evil actions.

    Since BackMyData/Phobos operates under the RaaS (Ransomware-as-Service) mantle, the threat actors would have supplied several payment handles (probably Monero), a small ‘decryptable’ data sample to back up their claims, and a deadline.

    Regarding the motivation behind the attack, Ryan Montgomery, ethical hacker and the co-founder of Pentester.com commented that:

    The primary motivation is indeed financial. Hospitals represent lucrative targets because they often pay ransoms quickly to restore critical services.

    But it’s not just about money. Cybercriminals are aware that hospitals, with their focus on patient care / safety, may have underinvested in cybersecurity, making them easier targets.

    However, the sensitivity of patient data adds pressure to pay ransoms to prevent data breaches. It’s a combination of financial gain and the vulnerability of healthcare institutions.

    The incident is currently under investigation.

    When new information comes to light, we will update this article.

    However, DNSC confirmed that although medical data was encrypted during the attack, the attackers didn’t manage to exfiltrate it to a malicious C2.

    On the 16th of February, DNSC published the following update.

    The DNSC team published the updated list of IOCs, validated on 15.02.2024.

    We highlight once more that it is vital to use the IOCs for scanning the IT&C infrastructure by all health entities, whether or not they have been affected by the Backmydata ransomware attack.

    Source

    Analysis

    DNSC’s National CSIRT compartment confirmed that the medical institutions have been compromised by the Phobos ransomware strain.

    Although Phobos is generally associated with Russia-backed black-hat hackers, the Romanian authorities have yet to confirm or deny this theory.

    Still, considering that Phobos is a subscription-based service, we can assume that the attackers might very well be soldiers of fortune rather than a coordinated Russian cyber-attack.

    The official position is that the attackers have successfully infiltrated and compromised the medical facilities by ‘wiretapping’ the Remote Desktop Protocol (RDP) sessions established between e-health solutions vendor RSC and the managed, victim-side servers.

    This could be achieved via an RDP session hijacking. However, an attack technique involving vendor compromise may lead to the same results with less effort.

    RDP-type aggressions are common in the Romanian threatscape.

    Back in 2020, DNSC raised awareness over RDP and brute-force attacks, urging companies to take steps to prevent network compromise and subsequent forms of cyber-aggressions.

    Attacks focused on RDP are not something new under the sun. Ryan Montgomery said that:

    Despite official discouragements from some ransomware groups, hospitals remain high value targets. This trend is likely to continue through 2024 and beyond.

    The patterns I’ve observed include exploiting vulnerabilities in outdated systems, phishing attacks targeting healthcare staff, and, as in this case, attacks via Remote Desktop Protocol (RDP).

    Cybercriminals are opportunistic and evolve their methods based on what’s effective and will make them the most money.

    Following the initial breach of RSC, the threat actors most likely to lure users into interacting with malicious content.

    Phishing?
    Phishing is a malicious technique based on deception, used to steal sensitive information (credit card data, usernames, and passwords, etc.) from users. The attackers pretend to be a trustworthy entity (usually by copying the look and feel of a big brand) to trick the victims into revealing their confidential data.

    Here are a couple of phishing examples for reference.

    What is Spearphishing?
    Spear phishing can be defined as an email spoofing attack that targets very specific and often key staff members. In 2016, Seagate had a major data breach three years ago after an HR officer sent out copies of employees’ 2015 W-2 tax forms, as requested via email by CEO Stephen Luczo.

    Here are a couple of spearphishing examples for reference.

    The list of affected medical units provided by DNSC reveals that the attack was not random.

    Intel suggests that the attack was aimed to target and disrupt hospitals with the best industry classification.

    For instance, the bulk of the attack was directed at the hospitals belonging to classification groups I and II.

    Read more about classification

    High-competence facilities equipped to serve county and neighboring regions, offering advanced medical services with sophisticated equipment and skilled staffing.

    Top-tier medical facilities serving regional populations with the highest level of equipment and staff, capable of providing highly complex medical services..

    Upon securing access to the victim-side Hipocrate servers, the threat actors executed the following services, DLLs, and executables.

    • AntiRecuvaDB.exe
    • kprocesshacker.sys
    • dControl.exe
    • DotNetTools.dll
    • ExtendedNotifications.dll
    • ExtendedServices.dll
    • ExtendedTools.dll
    • HardwareDevices.dll
    • hydra.exe
    • NetworkTools.dll
    • OnlineChecks.dll
    • peview.exe
    • ProcessHacker.exe
    • pw-inspector.exe
    • SbieSupport.dll
    • ToolStatus.dll
    • Updater.dll
    • UserNotes.dll
    • WindowExplorer.dll
    • BulletsPassView64.exe
    • BulletsPassView.exe
    • ChromePass.exe
    • Dialupass.exe
    • iepv.exe
    • mailpv.exe
    • mimidrv_32.sys
    • mimidrv.sys
    • mimik_32.exe
    • mimik.exe
    • mimilib_32.dll
    • mimilib.dll
    • mimilove_32.exe
    • mspass.exe
    • netpass64.exe
    • netpass.exe
    • NetRouteView.exe
    • OperaPassView.exe
    • pars.vbs
    • PasswordFox64.exe
    • PasswordFox.exe
    • pspv.exe
    • PstPassword.exe
    • rdpv.exe
    • RouterPassView.exe
    • SniffPass64.exe
    • SniffPass.exe
    • VNCPassView.exe
    • WebBrowserPassView.exe
    • WirelessKeyView64.exe
    • WirelessKeyView.exe.

    Following the file encryption phase, the attackers dropped the ransom note.

    As in the case of most ransomware attacks, the threat actors omitted from encryption the files, executables, and dependencies that the victim must use in order to pay the ransom.

    Mitigating Phobos Ransomware

    You can mitigate Phobos Ransomware by following DNSC’s recommendations.

    1. Download and save locally the YARA-ScanDNSC-v101.zip” archive from the link above
    2. Extract the archive in the desired folder
    3. Run the “scanare-drive-C-backmydata.bat” script with administrator rights to start the scan (NOTE: Right-click on the script and select “Run as administrator”)
    4. Optionally, if it is necessary and applicable, also run the script “scanare-drive-D-backmydata.bat
    5. Check the generated messages in the terminal and the .txtfile in the “Logs” directory
    6. In case of malware files detected, please send the .txtfile to DNSC at alerts@dnsc.ro.

    Source: DNSC

    In addition, DNSC recommended that all institutions ascribe to these cybersecurity rules.

    Source: DNSC

    Preventing Phobos Ransomware

    You prevent Phobos Ransomware by…

    Embracing Zero-Trust

    Adopting a Zero-Trust model can severely decrease the incidence of unauthorized access, thus actively preventing breaches and ransomware attacks. Other benefits to adopting zero-trust include:

    Use strong passwords.

    Passwords serve as an initial barrier against cyberattacks. It’s vital that businesses enforce password policies to mandate robust passwords, that are tough to breach.

    Cybercriminals can easily exploit weak passwords, employing automated tools to forcefully gain access to systems and networks.

    A robust password typically includes a combination of upper- and lower-case letters, digits, and special characters.

    Also…

    To combat these threats, there needs to be a stronger collaboration between cybersecurity professionals and the healthcare sector.

    This includes regular cybersecurity training for healthcare staff, implementing solid cybersecurity protocols, and investing in advanced security infrastructure that will notify immediately of employee data leaks & sensitive information.

    Additionally, healthcare institutions should engage in regular penetration testing and vulnerability assessments, possibly collaborating with organizations that offer pen-testing services.

    Rapid information sharing between healthcare institutions and cybersecurity experts is also crucial in responding to and mitigating the impact of these attacks.

    Ryan Montgomery, Ethical Hacker and the Co-Founder of PenTester.com

    Lessons learned and next steps

    In a recent development within Romania’s healthcare sector, which is rapidly embracing digitalization, an unexpected cybersecurity incident has occurred.

    The situation remains a puzzle as no group has yet claimed responsibility for the attack.

    The method of the breach was sophisticated, involving the BackMyData ransomware, part of the Phobos family, with the suspected entry point being the RSC infrastructure’s website.

    This incident stresses the need for better cybersecurity collaboration, regular training, rigorous protocols, and stronger cybersecurity measures in the healthcare sector to prevent future attacks.

    If you liked this piece, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

    Related Articles: