Hospitals offline across Romania following ransomware attack on IT platform

Four more Romanian hospitals were confirmed on Tuesday to have been affected by a ransomware attack against an IT platform, bringing the total to 25 facilities whose data has been encrypted. Another 75 hospitals in the country using the platform have been disconnected from the internet as investigators determine if they too are impacted.

According to the Romanian National Cyber Security Directorate, the unidentified hackers behind the attack are demanding 3.5 bitcoin, or about $170,000, to decrypt the data.

“Both the Directorate and other cybersecurity authorities involved in the analysis of this incident RECOMMEND that the attackers are NOT contacted and the requested ransom is not paid!” the agency wrote in a translated announcement.

Over the weekend, Hipocrate Information System (HIS) experienced “a massive ransomware cyber attack… on the production servers on which the HIS IT system runs,” the Romanian Ministry of Health said. “As a result of the attack, the system is down, files and databases are encrypted.”

On February 10, a pediatric hospital was confirmed to have been affected. Two dozen other hospitals impacted by the attack were announced over the course of the next three days.

“Most of the affected hospitals have backups of data from the affected servers, with data saved relatively recently (1-2-3 days ago) except for one, whose data was saved 12 days ago,” the cyber agency said. “This could allow for easier restoration of services and data.”

According to Romanian authorities, the attackers used a ransomware variant within the Phobos family called Backmydata. Phobos is a ransomware-as-a-service strain that targets poorly configured Remote Desktop Protocols, typically gaining access to login credentials through phishing campaigns or through brute force attacks.

Cyberattacks on the health sector have wreaked havoc for years, with a continuous drumbeat of reported incidents in 2023.

Just before Christmas, a hospital outside Kansas City, Missouri, was forced to transfer patients to other facilities. In December, patients at a Seattle cancer center were extorted during a ransomware attack. Also around the holidays, a healthcare provider in Australia announced that it had suffered a data breach.