Israel’s Health Ministry and the National Cyber System on Sunday morning issued a joint statement about an increase in cyber attacks against several hospitals and medical organizations over the weekend. According to the announcement, timely preparation and quick response on the part of the Health Ministry’s cyber center and staff on the ground in every medical facility halted the attempted attacks and no damage was done.
The Health Ministry noted that “together with the National Cyber System, we are carrying out many activities with entities in the health sector to further strengthen the level of protection while identifying new vulnerabilities that may invite attacks, and calling on threatened organizations to block them.”
The ransomware cyberattack on the Hillel Yaffe Medical Center in Hadera last Wednesday marked a new trend that could prove extremely dangerous for the State of Israel if the system is not mended (Hillel Yaffe Hackers Demanded $10 Million; Much of the Data Gone). The hospital was quick to issue a statement about the incident, but according to a Ynet report on Sunday (הלל יפה עדיין בפעילות חלקית, ניסיונות למתקפות סייבר על 9 בתי חולים נוספים), it appears that what is really happening at the Hadera facility is being kept in strict secrecy. In fact, at this point, even the hospital management is not in the know, because once the initial attack had been exposed, the Prime Minister’s Office took over the handling of the case. So far, the true extent of the damage inside Hillel Yaffe can only be estimated based on what kind of information has not been revealed.
The attack was apparently a complete takeover of all the hospital systems by the cybercriminals. No system can be run at this point, no file can be accessed. The hospital had backup systems that should have allowed it to return to normal activity in a matter of hours, but in Hillel Yaffe, the backup systems have also been hijacked, and they are not accessible either. The attackers very likely extracted all the patient data and treatments, including the backups, before blocking the systems. There are also persistent rumors that the attack has spilled over to other medical institutions, perhaps to non-medical organizations as well.
The attackers are a cybercrime group known as DeepBlueMagic, which has only reached global awareness in recent months. The cyber-attack tool it uses works particularly viciously and manages to surprise the most powerful cyber defense systems. In the case of Hillel Yaffe, the criminals probably didn’t even have to make much of an effort.
Heimdal Security on August 11 reported an incident that turned out to be a new ransomware strain along with a ransomware note, signed by DeepBlueMagic (DeepBlueMagic Ransomware Strain Discovered by Heimdal™ – New Ransomware, New Method). According to Heimdal, “This new ransomware strain is a complex one, displaying a certain amount of innovation from the standard file-encryption approach of most others.”
“By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process not of files on the target’s endpoint, as ransomware usually does, but of the different disk drives on the server, except the system drive (the “C:\” partition),” Heimdal explained, adding: “The machine was found with the “C:\” drive intact, not encrypted in any way, and with ransom information text files on the desktop.”
The malicious software stopped every third-party Windows service found on the computer, to disable any security software. Then DeepBlueMagic deleted the Volume Shadow Copy of Windows, which made certain that restoration was not possible, according to Heimdal.
The ransomware note was left in a text file named ‘Hello world’ on the desktop:
Hello. Your company’s server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: [email address 1]
(Please check spam, Avoid missing mail)
Identification code: ******** (Please tell us the identification code)
Please contact us and we will tell you the amount of ransom and how to pay.
(If the contact is fast, we will give you a discount.)
After the payment is successful, we will tell the decrypt password.
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.
If we don’t respond. Please contact an alternate mailbox: [email address 2]
We will enable the alternate mailbox only if the first mailbox is not working properly.