Hospitals and Pipelines Hit in Two Different Ransomware Attacks

In a dual blow to critical infrastructure, a ransomware attack this week has paralyzed healthcare facilities in Romania and we learned how the defenses of a major energy supplier in Ontario, Canada were breached in November 2023. 

Romanian Healthcare Ransomware Attack

Over 100 facilities have been forced offline following a ransomware attack targeting Romania’s healthcare infrastructure, with at least 25 hospitals falling victim. The assault, employing a ransomware variant believed to originate from Russian-speaking hackers, has left a significant portion of the nation’s healthcare system incapacitated, according to the Romanian National Cyber Security Directorate. The attack commenced at Pitesti Pediatric Hospital before proliferating to other medical facilities. In response, an additional 79 healthcare establishments have opted to disconnect from the internet in a bid to thwart further infiltration by the hackers. 

While the culprits remain anonymous, investigations reveal the use of a ransomware strain dubbed Phobos, attributed to Russian-speaking hackers. Notably, this incident marks one of the most extensive deployments of Phobos to date, underscoring its pervasive threat. The hackers have demanded a ransom of $3.5 bitcoin, equivalent to nearly $170,000. Despite this, the Romanian cybersecurity agency has advised against complying with the demand.

Studies have consistently demonstrated the dire consequences of hospital downtime caused by ransomware attacks, with elevated mortality rates being a common outcome. Despite global efforts to counter such threats, ransomware attacks are proliferating, with victims shelling out a staggering $1 billion to their assailants last year alone.

ALPHV attacks Trans-Northern Pipelines

Across the globe in Ontario, Canada, Trans-Northern Pipelines Inc. (TNPI) confirmed a cyber breach in November 2023, leading to an ongoing investigation into data theft claims by the ALPHV/BlackCat ransomware group. Lisa Dornan, TNPI Communications Team Lead, told news website BleepingComputer that the cybersecurity incident impacted a limited number of internal computer systems. TNPI swiftly engaged third-party cybersecurity experts to contain the incident, emphasizing the continued safe operation of their pipeline systems. TNPI delivers refined petroleum products to major cities and airports in southern Ontario and western Quebec.

ALPHV, a ransomware group tracing back to November 2021, allegedly extracted 183GB of documents from TNPI's network. The stolen files have been made public on ALPHV's data leak site, accompanied by contact information for TNPI employees.

Between November 2021 and March 2022, ALPHV was responsible for over 60 breaches worldwide, accumulating ransom payments exceeding $300M from over 1,000 victims. Previously recognized as DarkSide and BlackMatter, ALPHV has faced significant law enforcement scrutiny, including involvement in the Colonial Pipeline attack, leading to its temporary shutdown in December of 2023. Despite FBI interventions disrupting their operations, ALPHV resurfaced and continues its malicious activities. 

TNPI's breach underscores the evolving tactics of ransomware groups like ALPHV, emphasizing the importance of robust cybersecurity measures and proactive threat mitigation strategies. Vigilance against ransomware threats remains key in safeguarding critical infrastructure and sensitive data.  To help improve your resilience to ransomware the 'UK's National Cyber Security Centre' provides key information you can review online, below is a summary of their advice:   

Improve Your Resilience to Ransomware With 4 Key Actions: 

Action 1: Ensure Robust Backup Protocols 
Maintaining up-to-date backups is paramount for mitigating the impact of ransomware attacks.  

• Regularly back up essential files, tailoring the process to their unique operational needs. 
• Store backups offline and in separate, secure locations to thwart ransomware targeting. 
• Diversify backup solutions and storage locations to minimize vulnerabilities. 
• Disconnect backup devices from the network to prevent infiltration by attackers. 
• Employ cloud services that safeguard previous backup versions and facilitate seamless restoration.
• Prioritize scanning backups for malware and promptly patch backup products to prevent exploitation.  

Action 2: Implement Proactive Malware Prevention Measures 
Preventing malware delivery and propagation demands a multifaceted approach: 

• Employ network services for filtering, blocking malicious content, and inspecting data. 
• Harden remote access points by disabling services like Remote Desktop Protocol (RDP), enforce multi-factor authentication (MFA), and IP allowlisting. 
• Adhere to recommended VPN configurations and employ Single Sign-On (SSO) for internet-exposed services. 
• Adopt the principle of least privilege and promptly patch known vulnerabilities in remote access devices. 

Action 3: Safeguard Devices from Malware Execution
Adopt a defense in depth strategy to prevent malware execution on devices: 

• Centrally manage devices to allow only trusted applications and enforce stringent security policies. 
• Deploy enterprise antivirus solutions, maintain updated definitions, and provide comprehensive security training to employees. 
• Restrict scripting environments, disable autorun for removable media, and stay vigilant against vulnerabilities by promptly applying security updates. 

Action 4: Prepare for Incident Response 
In the event of a malware infection, swift and decisive action is crucial: 

• Disconnect infected devices from all network connections and consider isolating core network components.
• Reset compromised credentials, wipe infected devices, and reinstall operating systems.
• Verify the cleanliness of backups before restoration.
• Monitor network traffic and conduct antivirus scans post-recovery.