Cybercriminals who attacked Hospital Clínic sell stolen data

Cybercriminals who attacked Hospital Clínic sell stolen data

Sometimes, preventing threats and having a plan in place in time against possible cybersecurity attacks that may occur in an organisation, whether public or private, can be a “lifeline” against the numerous and undesired consequences that cybercriminals demand in order not to reveal the information stolen as a result of an attack that affects the security of key IT systems.

What happened in the attack on Hospital Clínic and what data was stolen?

On 5 March, the Hospital Clínic in Barcelona suffered a ransomware attack at the hands of the Ramsom House group. The Hospital Clínic’s IT and cybersecurity services quickly alerted the Catalan Cybersecurity Agency to try to find out the amount and types of data that had been stolen and provide a rapid solution to the serious problem of suffering a cyber attack.

The ramsomware was introduced by exploiting a security breach in the hospital’s computer systems, some of them using outdated software that can be attacked using public vulnerabilities (called Common Vulnerabilities and Exposures). This vulnerability resulted in an unauthorised intrusion that led to the spread of the malicious software responsible for stealing and encrypting the information, which can be accessed by cybercriminals.) Following the attack, the Ramsom House group demanded the payment of $4.5 million (approximately 4.25 million euros) in order not to make public the data they had stolen and encrypted. 

As a result of the attack, the hospital suffered the theft and encryption of more than 4.5 terabytes of personal data of patients and employees. In addition, the personal data stolen by the Ramsom House group is particularly sensitive. Health-related data such as admission records, medical records, medical orders, operating theatre reports, as well as data concerning race, sexual orientation or religious beliefs, are considered sensitive personal data under the GDPR and the LOPDGDD. Since the publication of the RGPD, this information is considered a special category of data, so the theft and encryption of this data by Ramsom House poses a serious risk to those affected.

How cyber attacks are carried out and how to prevent them

A cyber attack, or cyber attack, is a series of actions aimed at destroying or compromising an organisation’s computer systems. It can also be aimed at illegal access or massive theft of personal data, in which case it is called cyber-surveillance. Moreover, attacks can be carried out by different actors, who have completely different motivations:

• Individuals – so-called hackers – who act independently, usually motivated by financial gain.
• Organised groups, with different purposes, both criminal (terrorists) and ideological (activists).
• Governments, in attacks that are part of a cyber-warfare strategy, targeting either other governments’ computer systems or important public or private assets.
• Private companies, in cyber espionage actions.

The cyberattack suffered at Hospital Clínic de Barcelona was a ramsomware-type cyberattack. Ramsomware is a type of malware that is typically spread through phishing emails and advertisements with infected links or fake websites with embedded malware. Phishing emails usually appear to be sent by a legitimate organisation or by someone known to the victim (in targeted attacks), tricking the user into clicking on a malicious link or opening a harmful attachment. Once the files are locked, the ransomware displays a notification on the user’s screen, informing them that their files have been hijacked and demanding that they pay a ransom in a specific cryptocurrency to obtain the decryption key.

The main objective of cybercriminals is to make financial profit, as in the case of the Clinic, through the payment of ransom.

Any organisation is exposed to a cyber-attack, as it is impossible to be totally protected, but it can take some measures to prevent information theft. These measures could be: having complex and different passwords between different platforms and applications.

In addition, another measure that any company should take into account is to activate double verification processes in as many accounts as possible. These processes consist of having to enter two keys to enter an account, the password and, for example, an SMS that is sent immediately.

Also, to avoid falling victim to ransomware, it is important to avoid downloading files from unknown sources, keep your anti-virus software up-to-date and make regular backups of important data in a safe place out of the reach of cybercriminals.

How can information stolen in a cyber-attack be recovered?

After a cyber-attack, there are a number of ways to mitigate the effects. These actions will fit depending on your business situation. 

• Secure your network. These attacks usually involve some form of attacker access to the network, so it is recommended that you check all entry points to the network to look for and identify vulnerabilities.
• Restore files from backup. If your prevention system included a backup of your files, you can reinstall the affected devices. You should be sure not to restore from a disk on the same network as some malware can identify and infect your backup files.
• Attempt to recover files using decryption systems.

Moreover, cybersecurity technologies such as EDR (Endpoint Detection and Response), XDR (evolution of EDR with enhanced functions) or other SIEM (Security Information and Event Management) tools make it possible to detect this type of attack, collect them and issue alarms that enable real-time management of the cyber-attack, thus minimising its impact.

In conclusion, unfortunately, the Hospital Clinic de Barcelona suffered a complex attack, as it requires highly specialised technical knowledge to gain access to the information systems of a critical infrastructure, although the software used could have been detected if the optimal security measures had been in place. Unfortunately, the consequences of the cyber-attack are very negative as the likelihood of the stolen information being publicly exposed is very high.