The US Federal Bureau of Investigation and European partners have shared warnings and coordinated statements in ransomware investigations involving at least one patient death. Meanwhile, hospitals in Barcelona prepare for the impact of a new cyber attack.
Royal Ransomware Actively Targets US Hospitals and Health Systems
The FBI and Cybersecurity and Infrastructure Security Agency released a joint cybersecurity advisory on March 2 on known Royal ransomware intrusions and tactics. as recently as January 2023.
According to John Riggi, national adviser on cybersecurity and risk for the American Hospital Association, this ransomware gang is actively targeting US hospitals and health systems.
He said on LinkedIn on Friday night that IOCs can act on alert and should be loaded into cyber defenses as soon as possible.
According to the General CSA, royal ransomware relies on phishing, remote desktop protocol compromise, exploitation of public applications, and the use of stolen virtual private network credentials purchased from brokers. third party world.
The FBI and CISA say they believe Royal’s custom file encryption program has evolved from previous iterations that used Zeon as a loader.
Once infiltrated, cyber attackers disable anti-virus software and filter large amounts of data before deploying ransomware and encrypting the system.
Since approximately September 2022, cybercriminals have compromised US and international organizations with a variant of ransomware Royal, the agencies said.
The royal actors have targeted many critical infrastructure sectors including healthcare, media, etc. Ransom demands range from $1 million to $11 million to be paid out. in Bitcoins.
The royal cast did not initially include a ransom amount and payment instructions, the agencies said they had observed.
“Instead, the note, which appears after encryption, asks the victim to interact directly with the threat agent via the .onion URL (accessible through the Tor browser).”
RansomHouse redirects patient care in Barcelona
RansomHouse shut down computers at Clinic de Barcelona’s labs, emergency rooms and pharmacies at three main centers and some outside clinics on Sunday, according to the Associated Press.
The attack, which officials say was launched from outside Spain, caused the diversion of emergencies, 150 non-emergency operations and about 3,000 scheduled appointments.
Health care system officials said they do not know when systems – including the loss of access to patient records and communication systems – will be backed up.
RansomHouse appeared with threat actors publishing evidence of stolen files and leaking the data of organizations that refused to pay the ransom, according to Bleeping Computer in May.
“The new operation claims not to use any ransomware and instead focuses on compromising the network through alleged vulnerabilities to steal the target’s data,” according to the report.
Cybercriminals have blamed the victim on inappropriate cyber security, and a small bug bounty reward is offered for vulnerability disclosure.
Segi Marcén, telecommunications secretary for the regional government of Catalonia, told the AP that the hackers had not made any ransom demands this morning, but that if they did, no ransom would be paid. pay.
Europol, FBI and others investigating DoppelPaymer suspects
Europol announced that on February 28, the German Regional Police and the National Police of Ukraine, with their support as well as that of the FBI and the Dutch Police, raided the home of a suspected German citizen. suspected of playing a key role in DoppelPaymer’s large-scale cyberattacks. ransomware group and interrogated an alleged Ukrainian citizen.
Investigators are currently analyzing equipment seized from three locations, two in Ukraine.
According to the announcement, this ransomware gang is based on a double extortion scheme using a leaked website that it launched in 2020 and that German authorities are aware of 37 victims.
Europol said: “One of the most serious attacks has occurred against the University Hospital in Düsseldorf.
In the United States, victims paid at least 40 million euros between May 2019 and March 2021, Europol said, and DoppelPaymer is suspected of carrying out a major attack on the University Hospital Düsseldorf .
In 2020, popular hospital-based server encryption required patients to be transferred to other facilities, resulting in the death of a woman who became critically ill before receiving treatment.
The AHA advocates prioritizing ransomware attacks against hospitals as life-threatening criminals and calls on the federal government to use its capabilities to crack down on organizations that claim malware. blackmail anywhere.
“We will continue to work to prevent these attacks and provide assistance to the victims who have been targeted,” US Attorney General Merrick Garland said in January when the FBI announced it had disrupted the Hive ransomware group that saved hospitals from attacks.
“And together with our international partners, we will continue to disrupt the criminal networks that launch these attacks,” he pledged.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
