Russian crypto-ransomware virus behind attack on Benešov hospital

Benešov hospital, photo: Google Maps

Almost every fifth Czech company faced a cyberattack last year, a rise of 20 percent year on year, according to data released by the Czech Statistics Office. The most common form of cyberattack was the so-called “distributed denial-of-service”, triggering a collapse of normal traffic by overwhelming the server. However hackers also often deployed extortion programs known as “ransomware” that make data or even an entire system inaccessible until the attacker is paid off.

Hospital hit by Russian Ryuk virus

Ondřej Šafář,  photo: archive of Eset
Hackers primarily target medium and large companies and institutions and one of the highly publicized attacks in this country was the attack on the Rudolf and Stephanie hospital in Benešov which paralyzed the institution for weeks since staff were unable to use x-rays, ultrasound or laboratory instruments and could not exchange information with other hospitals. Although the hospital is now fully operational it is still recovering from the incident and the cost of renewing the hospital’s operational system has so far been estimated at 40 billion crowns.

According to the police the system was attacked by the Ryuk virus created by Russian hackers, which is also reported to have been behind the attack on the Czech coal mining company OKD, as well as being responsible for past attacks on public institutions in the US and Spain.

According to Ondřej Šafář from the antivirus company Eset Ryuk is a specific virus aimed at a carefully selected target.

“Cybercriminals behind Ryuk do not focus on households or small companies. They select potentially interesting targets, big organizations, where in the event of a successful attack, there is a good chance of getting a high ransom for restoring the stolen data. From previous cases we know the ransom money they have been paid out has reached millions of dollars.”

The Ryuk virus does not attack immediately. When it enters the computer, it first thoroughly examines all data and documents without the user's knowledge, and is even capable of shutting down antivirus programs. When everything has been thoroughly analysed, the computer encrypts.

This cipher is basically unbreakable by available technologies, and the key to it is in the hands of the Russian criminal group that created it. According to Ondřej Šafář, the group eventually starts to negotiate the ransom price with the institution targeted.

“The only information you get from the Ryuk operators is that the computer network was attacked by Ryuk and there is a contact address. Usually this is in an e-mail sent via ProtonMail, a service that provides end-to-end encrypted e-mails. This is to make the identification of the attackers as hard as possible. And it is up to you to get in touch and start bidding in order to ascertain at what price and under what conditions they would be willing to decrypt your data.”

Protection of personal data

Jaroslava Pokorná Jermanová,  photo: Michaela Danelová / Czech Radio
The Central Bohemian Region, which owns the Rudolf and Stephanie hospital in Benešov, does not want to publish details of the attack. However the region’s governor Jaroslava Pokorná Jermanová told journalists that the hospital did not pay anyone any ransom money.

"I have no information about anyone having asked for money; that is not something we have had to deal with. We didn't lose a lot of data. We are in communication with the Office for Personal Data Protection and also with the National Office for Cyber and Information Security and are proceeding according to their directions.“

The governor refused to disclose any details regarding what kind of data had been lost, but she ruled out a possible leak of people’s health records.

The National Office for Cyber and Information Security has confirmed that it is dealing with the case but did not disclose any further details. The office never discloses specific details of attacks on the institutions hit, leaving it to them to decide how much information they want to disclose and when.

However at the end of December, the National Office for Cyber and Information Security issued a warning against ransomware attacks, which can be preceded by a series of viruses which can modify, copy, or steal data.

Beefing-up security

Benešov hospital,  photo: Google Maps
Over the past few weeks the hospital’s IT specialists have been working around the clock to reinstall software in over 600 computers in the hospital’s various departments and gradually retrieve the encrypted data. Governor Jermanová told Czech Radio that patients data had been backed up and that the hospital could not be faulted for neglecting any security requirements. She said that while the hospital was back in operation it would take some time for it to fully recover from the attack.

“The hospital is now providing the full range of services to patients but it will take another five or six months for it to deal with the consequences. The damage done was estimated at 38 million crowns, re-installing the software cost another two million. There is also loss of revenue for care over those three weeks in which many departments were closed. We are still negotiating this matter with insurance companies.”

The hospital should have an accurate estimate of the losses sustained in the course of several months. Meanwhile, the Central Bohemian Region is giving it a 30 million crown subsidy to help tide it over the worst. And experts at the hospital are beefing up security.

The hospital’s director Roman Mrva explains that in the case of institutions such as hospitals this is not always easy to do.

“Our hospital will have very good security, I would say above-standard security. It is not that we were not adequately protected in the past, but this attack was very sophisticated. Our specialists are working according to recommendations from National Office for Cyber and Information Security. We have new Firewall systems and are reviewing the rules governing communication with outside networks. That is the problem with hospitals –you need communication channels with so many outside networks, other hospitals, insurance companies, social services and so on. Also, the firms that service the network need to have access to the system from outside. All this is changing quite radically in order to ensure greater safety.”

The cabinet is currently debating a tougher cyber security bill and the prime minister has said the issue is one of the government’s top priorities.