The Hospital Clínic de Barcelona is still far from recovering normality. 150 non-urgent surgeries and between two thousand and three thousand outpatient appointments have been descheduled for this Monday due to the cyberattack suffered this Sunday. And there is no forecast when the system will recover. At the moment, some emergencies are being attended to and other cases are being referred to the Primary Care Emergency Centers (CUAP) and other nearby hospitals.
The Catalan authorities have identified those responsible for the cyberattack: Ransom House, a criminal group that operates from outside Spain and has signed similar attacks in recent months.
“This group is specialized in data exfiltration. The interesting thing is that it is not a group dedicated exclusively to ransomware attacks; it also offers a collaborative platform for other allied groups to do combined attacks. In this sense, it has been observed how Ransom House has used various ransomware groups in its operations to encrypt the data of the victims”, Marc Rivero, Kaspersky cybersecurity expert, explains to La Vanguardia.
It is very difficult to know who is behind these anonymous groups, which claim the lack of cyber defense tools and expose the vulnerability of many institutions. "Its members operate from different countries", explained the forensic computer specialist Bruno Pérez Juncà to the El Món program to RAC1.
Ransomware attacks such as the one suffered by the Hospital Clínic consist of the disabling of a computer system, normally in exchange for a payment to recover the information. The Secretary of Telecommunications and Digital Transformation of the Generalitat, Sergi Marcén, explained at a press conference that for the moment the hackers have not communicated with the Administration. In any case, the Government spokesman has assured that "not a single penny will be paid."
At 11:17 a.m. yesterday, Sunday, the Clinic notified the Catalan Cybersecurity Agency that it had suffered a cyberattack. Since then, the agency's services began working to recover the system as soon as possible, but this Monday the effects are still significant and could last for days. The attack does not allow communication between hospital departments or access to patient histories and other data, although this information "is not affected," said the Clínic's medical director, Antoni Castells.
Some cybercriminals make it a rule not to attack hospitals, but this is not the case with Ransom House. "In the case of a group that obtains its benefits from extorting its victims by selling confidential information, it is to be assumed that the medical data of a health institution are very interesting to trade with them in the event that the victim does not pay", points out the Director of Research and Awareness of ESET Spain, Josep Albors.
It is unknown what the security breach was. “These types of groups are very good at what is called offensive security. Ransom House has highly specialized personnel who can discover vulnerabilities in the software or providers that provide services to the Hospital Clínic. And it may be that one of these has been the entry point for this attack that the institution has suffered”, continues Rivero.
However, the authorities stress that we are facing a "complex attack, which does not follow the classic modus operandi and includes new techniques", which is why they are still studying the extent of the damage, in collaboration with the Mossos d'Esquadra and the Interpol. The foreseeable, that they ask for an economic rescue in exchange for recovering the systems or the information.
Cyber attacks are becoming more frequent. In Catalonia, around 1,700 million attacks take place each year, 98% of which are blocked, while around two thousand constitute security problems.
Many of them are preventable, according to Albors: “In the absence of knowing more details, the reality is that most of these attacks are successful because the victims do not have an adequate security policy. Attackers exploit vulnerabilities that have not been patched for months or even years, use previously stolen credentials in campaigns targeting employees to gain access to the internal network, move within this network taking advantage of little or no network segmentation to steal and encrypt data without Major problems".
