Knowledge Articles

Cyber-Attack on the hospital of Rudolf and Stefanie Benešov

A number of questions arise in connection with a cyber-attack on the hospital in Benešov. The attack resulted in a significant reduction in the operation of the medical facility and caused damage which was, in the end, estimated at almost 80 million Czech crowns.

First of all, how did it actually happen?

The exact method of the virus infection and its propagation in the hospital’s IT infrastructure is still under investigation carried out by security experts, but the general “modus operandi” of the virus is already known, so it can be identified how does such an attack actually take place.

Several previous experiences also show that the attack of the RYUK virus itself is preceded by an attack on a computer network by a specialized malware, which can be compared to a three-member specialized gang, and which usually enters the organization via e-mail.

  1. The planned attack begins with a massive spam campaign through which the hacker tries to persuade the email recipient to open attached infected document. The attachment usually looks like an invoice, enforcement of a judgement of a court, payment details for a shipment, or, as recent experiences suggest, even as an important information about COVID-19.
  2. If an unsuspecting user opens the attachment, an inconspicuous “macro” in the document activates the first attacker: it downloads the EMOTET malware, which quietly begins to map the system environment and the running processes in order to call the second attacker and “load” another malware called TRICKBOT. It spreads over the insecure network infrastructure of the infected organization and it actively collects the user data, their login details and passwords to obtain authorization, especially for remote access services of the system.
  3. When it compromises the login details (admin, sysop), TICKBOT opens an imaginary back door to the infected system and the ransomware finally downloads the third attacker to the infrastructure – this time the RYUK virus itself. RYUK is designed to focus on important data and servers, so that the attacking hacker can through potential blackmailing obtain the highest possible ransom. RYUK itself is a high-risk type of ransomware that infiltrates the system and encrypts stored data, rendering it unusable. However, unlike most other viruses of the similar type, it does not rename the infected files, but only adds the *.RYK extension to the encrypted files. It also creates a text file (“RyukReadMe.txt”) and places a copy in each existing folder. This text file usually contains a message informing the victims about the data encryption and encourages them to pay the ransom for restoring the files, or for providing a decryption key.

The information systems of the hospital in Benešov were attacked through a version of RYUK computer virus. It is known in the cyber/IT community as so-called “targeted ransomware” and it is optimized to attack large companies and infect many computers simultaneously. See the “VIRUS RYUK” table for details.

How did the hospital react?

In the Hospital of Rudolf and Stefanie Benešov the whole incident was recorded on 11 December 2019 in early morning hours. At approximately 03:10 in the morning, an IT operator recorded a non-standard update of one of the hospital’s systems. The IT department performed initial on-site analysis and the first symptoms indicated the cryptovirus attack.

At 04.00, the network elements were physically disconnected and all server infrastructure was shut down (preserved). Another, and this time much more detailed analysis of the problem, took place with the assistance of competent entities: a supplier of an anti-virus system, the National Cyber and Information Security Agency, aka NUKIB, and the Czech Police. At the same time, all users and affected patients were informed.

Due to the absence of support from ICT, the operation of the hospital technically returned literally 30 years back to the times of “paper hospital” and a pencil and paper became the basic tools. Fortunately, it was possible to operatively distribute the medical burden (urgent care) to other medical entities in the Central Bohemian Region.

Over the next few days, the so-called DR plan (Disaster and Recovery Plan) for gradual recovery of the computer infrastructure was created. First of all, the servers and end stations were reinstalled, then the backed-up data were installed to isolated IT environment and after several intermediate steps, the recovery of key agendas dealing with the hospital’s operation started: recovery of clinical systems, PACS (imaging technology), economic and personnel subsystem and of the pharmacy system.

As a result, it was necessary to optimize the network infrastructure in 7 days, to implement new server environment and to reinstall about 400 out of 600 stations in the premises of the hospital. However, complete recovery of the hospital’s operation to the stage before the attack took almost 3 weeks and the total damage reached several tens of millions of Czech crowns.

How to defend the system?

In case of an attack

  • If the ransomware infection is detected, immediately disconnect the computer from all networks. It is necessary to completely reinstall the system and to change the passwords of all users.
  • Immediately report the incident to your IT department, DPO, i.e. the Data Protection Officer (if you have one) and call the hospital’s Emergency Committee. Also contact the relevant state authorities dealing with cyber and information security and, if necessary, contact the Police.
  • It is appropriate to keep the encrypted data for later analysis and possible decryption.
  • The backed-up data (if available) restore only to “sterile” infrastructure, even if it requires complete reinstallation of the system or individual workstations!
  • Avoid paying the ransom. Firstly, there is no guarantee that you will be provided with the decryption key after the payment and at the same time, by paying the money you can support criminal structures, the so-called eCrime.

Precautionary measures

  • Publish information and train staff on the key topics concerning cyber and information security, in particular the dangers of phishing, fraudulent e-mails and potentially dangerous e-mail attachments.
  • Use robust antivirus software to protect your device from ransomware. Do not turn off the so-called heuristic functions in the AV settings, as these are to some extent able to capture new/previously unknown types of ransomware.
  • Keep your software up to date. Install new updates for your OS or applications as soon as they are released by the manufacturer.
  • Back up! Always have a separate backup of the system and of your application data! You can combine automatic backup on a cloud and backup on a physical medium (external hard disk, flash disk or backup server).

RYUK Virus

A ransomware is a specific type of malware that prevents users/owners from accessing their data until the victim pays a ransom, usually in the form of a cryptocurrency payment. This virus was named after a fictional cartoon character from the Dead Note series – RYUK.

The analysis of the code shows that most likely it has been derived from another virus named HERMES and that it has been used since August 2018 by eCrime group called WIZARD SPIDER to attack pre-selected entities in order to obtain a ransom.

In this context, it is important to realize that RYUK uses very strong encryption algorithms RSA-4096 and AES-256, and that the data recovery without a specific key is practically impossible and the victim is usually forced to pay a ransom in exchange for their release.

Unfortunately, there are currently no tools that can “decipher” the encryption using RSA/AES algorithms and recover the affected data “for free”. Alternative solution is to restore the data from backups or to pay a ransom.

Author

Ondřej Lešetický

European Ageing Network, Czech Republic