Russian crypto-ransomware virus behind attack on Benešov hospital
Almost every fifth Czech company faced a cyberattack last year, a rise of 20 percent year on year, according to data released by the Czech Statistics Office. The most common form of cyberattack was the so-called “distributed denial-of-service”, triggering a collapse of normal traffic by overwhelming the server. However hackers also often deployed extortion programs known as “ransomware” that make data or even an entire system inaccessible until the attacker is paid off.
Hospital hit by Russian Ryuk virus
According to the police the system was attacked by the Ryuk virus created by Russian hackers, which is also reported to have been behind the attack on the Czech coal mining company OKD, as well as being responsible for past attacks on public institutions in the US and Spain.
According to Ondřej Šafář from the antivirus company Eset Ryuk is a specific virus aimed at a carefully selected target.
“Cybercriminals behind Ryuk do not focus on households or small companies. They select potentially interesting targets, big organizations, where in the event of a successful attack, there is a good chance of getting a high ransom for restoring the stolen data. From previous cases we know the ransom money they have been paid out has reached millions of dollars.”
The Ryuk virus does not attack immediately. When it enters the computer, it first thoroughly examines all data and documents without the user's knowledge, and is even capable of shutting down antivirus programs. When everything has been thoroughly analysed, the computer encrypts.
This cipher is basically unbreakable by available technologies, and the key to it is in the hands of the Russian criminal group that created it. According to Ondřej Šafář, the group eventually starts to negotiate the ransom price with the institution targeted.
“The only information you get from the Ryuk operators is that the computer network was attacked by Ryuk and there is a contact address. Usually this is in an e-mail sent via ProtonMail, a service that provides end-to-end encrypted e-mails. This is to make the identification of the attackers as hard as possible. And it is up to you to get in touch and start bidding in order to ascertain at what price and under what conditions they would be willing to decrypt your data.”
Protection of personal data
"I have no information about anyone having asked for money; that is not something we have had to deal with. We didn't lose a lot of data. We are in communication with the Office for Personal Data Protection and also with the National Office for Cyber and Information Security and are proceeding according to their directions.“
The governor refused to disclose any details regarding what kind of data had been lost, but she ruled out a possible leak of people’s health records.
The National Office for Cyber and Information Security has confirmed that it is dealing with the case but did not disclose any further details. The office never discloses specific details of attacks on the institutions hit, leaving it to them to decide how much information they want to disclose and when.
However at the end of December, the National Office for Cyber and Information Security issued a warning against ransomware attacks, which can be preceded by a series of viruses which can modify, copy, or steal data.
“The hospital is now providing the full range of services to patients but it will take another five or six months for it to deal with the consequences. The damage done was estimated at 38 million crowns, re-installing the software cost another two million. There is also loss of revenue for care over those three weeks in which many departments were closed. We are still negotiating this matter with insurance companies.”
The hospital should have an accurate estimate of the losses sustained in the course of several months. Meanwhile, the Central Bohemian Region is giving it a 30 million crown subsidy to help tide it over the worst. And experts at the hospital are beefing up security.
The hospital’s director Roman Mrva explains that in the case of institutions such as hospitals this is not always easy to do.
“Our hospital will have very good security, I would say above-standard security. It is not that we were not adequately protected in the past, but this attack was very sophisticated. Our specialists are working according to recommendations from National Office for Cyber and Information Security. We have new Firewall systems and are reviewing the rules governing communication with outside networks. That is the problem with hospitals –you need communication channels with so many outside networks, other hospitals, insurance companies, social services and so on. Also, the firms that service the network need to have access to the system from outside. All this is changing quite radically in order to ensure greater safety.”
The cabinet is currently debating a tougher cyber security bill and the prime minister has said the issue is one of the government’s top priorities.