The perpetrators of the cyberattack on the Clínic hospital last Sunday, the group of cybercriminals RansomHouse, have demanded a ransom of 4.5 million dollars —4.25 million euros— from the Generalitat to release and not publish the stolen data. Those responsible for the Government have reiterated this Friday in an exhaustive way that they do not intend to agree to the hackers' demands, so, according to the Mossos d'Esquadra, there is a "high probability" of publishing patient data.
The figure was confirmed at a joint press conference by the medical director of the Hospital Clínic, Antoni Castells; the director of the Cybersecurity Agency of Catalonia, Tomàs Roy; the head of criminal investigation of the Mossos, Ramón Chacón; and the Secretary of Telecommunications and Digital Transformation of the Generalitat, Sergi Marcén.
The cybercriminals contacted the Generalitat through messages, but the Secretary of Telecommunications has assured that no negotiation has been established. Marcén has estimated that RansomHouse has managed to steal four terabytes of data —one trillion bytes—, although it is still unknown specifically what information it is.
There is no question of subtraction. The attackers have sent as proof of this an image of the main tree of the hospital system in which all the server folders appear. According to Chacón, there is a "very high risk" that the data will be published. The Mossos, who are patrolling the deep web and the dark web, will try to prevent it.
"We know their modus operandi and where it is likely that they can publish it. It is about blocking the servers or the web, or asking Instagram to delete the information if that is the case," Chacón explained.
So far, all of the cybercriminals' steps have followed the usual pattern of a double extortion cyberattack. First, malicious code is introduced into the system and its use is blocked. Immediately afterwards - four days later in this case - money is demanded in exchange for a decryption. If the extortion is unsuccessful, data is stolen and threatened with publication or sale.
"The objective is profit, we rule out other criminal types," Chacón stated. In Catalonia, 600 ransomware attacks took place last year -most of them small cyber-scams-, which represent only 1% of cybercrime. According to the police expert, the investigation of this type of act is complicated by the fact that it occurs from abroad.
The chances of catching the criminals are slim, but the Mossos have put all their efforts into it. "If we have to go to the other side of the world to look for these gentlemen, we will do it," says Chacón. "The complicated thing - he admits - is that they jump from country to country when they are located."
Even if hackers manage to slip away, they will do so empty-handed. From the outset, the Generalitat has ensured that it will not pay a ransom. "Never, never, never have to pay," reiterates Chacón. "If we pay, the economic capacity that we are giving these groups is very high. With 4.5 million they could carry out many more and more sophisticated attacks. It would be an unstoppable snowball. The only way to stop it is for no one to pay. If they know they never get paid, they won't."
Meanwhile, five days later, the hospital is resisting the attack better than expected by the medical management, Antoni Castells has stated, although all the work continues to be done manually. The center hopes to recover the passwords of all professionals today, and to recover universal access to SAP (the management software) on Monday or Tuesday to start working normally.
More than 200 contingency computers have been set up that have allowed access to the patients' clinical records. 15% of digital systems have been restored. According to Sergi Marcén, the structural database of the Health Department, which contains the shared clinical history, has not been compromised.
The improvement in the Clinic's activity is substantial. "In four days we have recovered 90% of the complex surgical activity, 40% of the less complex, 70% of the activity of external consultations. We have also recovered the emergencies due to the stroke code and the heart attack code," he reported. Castells. During the crisis, emergencies and hospitalization have been maintained at the three Clínic locations: Villarroel, Plató and Maternitat.
The cyberattack has caused the cancellation of more than 4,000 tests on outpatients (tests were carried out on hospitalized patients), more than 300 surgeries, and more than 11,000 outpatient visits. The Sant Pau hospital has taken over the radiotherapy treatment of 25 grade 1 cancer patients (who cannot interrupt therapy). Between this center and the Vall d'Hebron they have assumed the beginning of the radiotherapy treatment of another ten cancer patients. Depending on the progress of the weekend, the Clínic will decide if it is in a position to restore this service on Monday.
Also on Monday, Tuesday at the latest, activity is expected to resume in the three outpatient clinics co-managed by the Clínic: Borrell, Casanova and Les Corts.
In the opinion of Tomàs Roy, general director of the Cybersecurity Agency of Catalonia, now it is a question of preventing new incidents from occurring. Despite the fact that the criminals have found a vulnerability, the Clínic has "good equipment and effective protection measures", he has stated. "Some of these measures are what allow us to recover at this speed. The Clínic is also a pointer and a benchmark in technology, and with a very high protection capacity."
