Ransomware disrupts Barcelona hospital.

A ransomware attack against the Hospital Clinic de Barcelona Sunday has severely disrupted the clinic’s computer operations, as well as forcing “the cancellation of 150 non-urgent operations, and up to 3,000 patient check ups,” the AP reported yesterday. The attack has been attributed to actors outside of Spain.

Barcelona hospital forced to shut down computer systems.

The Sunday attack on the center crippled computer systems at the “facilities, laboratories, emergency room, and pharmacy at three main centers, and several external clinics,” Security Week wrote Monday. The attack left approximately 150 elective surgeries, 500 extractions, and around 300 consultations unscheduled, writes EuroWeekly News. Urgent cases are said to be redirected to other locations. “We can’t make any prediction as to when the system will be back up to normal,” said hospital director Antoni Castells in a Monday news conference.

Ransom House threat actors behind the attack.

Sergi Marcen, the Secretary for Telecommunications and Digital Transformation at the hospital, has said the attack was perpetrated by threat actors outside of Spain, EuroWeekly News reported. Director Castells and general director of the Catalan Cybersecurity Agency, Tomas Roy, corroborated this claim, crediting the cyberattack to a gang known as Ransom House. Marcen said that RansomHouse normally “carries out these types of attacks in exchange for money, but so far they have not been in contact.” The secretary also said that in the event of the attackers making a ransom demand, it would not be paid.

Expert assessment of the Hospital Clinic de Barcelona ransomware incident.

Avishai Avivi, CISO of SafeBreach, has drawn some conclusions about the attack, describing how the threat actors moved and what went wrong:

“Very little technical information is available on the cyberattack on Hospital Clinic de Barcelona. With that, reading into what was already provided, we can deduce the following conclusions:

“This was a remote access attack – The spokesperson for the hospital defined that the attack originated outside of Spain. This means that the malicious actors could breach the hospital network remotely.

“The malicious actors were able to spread laterally – Considering that multiple locations were shut down (Laboratories, emergency rooms, pharmacies, and several external clinics). This suggests that the hospital’s networks were not properly segmented and segregated from each other.

"According to the press release, the threat actor is “RansomHouse.” This operator typically doesn’t encrypt the data, but rather, focuses on data exfiltration. This indicates that shutting down the computers was done to prevent further data exfiltration. This also suggests that Hospital Clinic de Barcelona does not have good egress security controls to prevent data leakage. This conjecture is further supported by the fact that the hospital seems to indicate that it will not pay the ransom, leading me to believe that it still has access to all its data.

"Since RansomHouse typically uses vulnerabilities to gain access, then to spread laterally, this suggests that the hospital did not fully patch its systems.

"Sadly, we see this quite often. Ransomware detection and prevention technology is still in its early days. Basic cyber hygiene would have helped Hospital Clinic de Barcelona contain and potentially avoid this breach altogether. Better security at the perimeter would prevent the adversary from getting an initial foothold. Better network segmentation and segregation and a comprehensive patching policy would have prevented the malicious actors from being able to spread laterally.

"Next, good egress controls like data leakage prevention (DLP) technology would have prevented the data exfiltration. RansomHouse does not usually encrypt the data. That said, having a good backup strategy can ensure the organization doesn’t lose access to its data. Finally, once all of the security controls above are in place, the organization must validate that they are operating as designed and as expected. They need to do this by performing adversary simulations.”

(Added, 2:00 PM ET, March 7th, 2023. Stephan Chenette, Co-Founder and CTO of AttackIQ also commented on the special attraction the healthcare sector holds for cybercriminals, and offers some advice on protecting hospitals from ransomware:

“The healthcare industry is one of the largest targets for cyber-criminals due to protected health information (PHI) being extremely profitable on dark web marketplaces because it usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come. Additionally, The Hospital Clinic de Barcelona is now forced to operate with reduced IT operations, causing the hospital to cancel thousands of patient appointments and forcing medical professionals to use pen and paper to communicate sensitive medical information. 

"This cyberattack serves as the latest reminder that organizations simply don't exercise their defenses enough, and healthcare organizations in particular should be evaluating their existing security controls to uncover gaps before an attacker finds them. We continue to see basic security protection failures resulting in data loss for companies both large and small. In February alone, Florida and Maryland hospitals suffered cyber attacks that limited IT operations. This trend is disturbing as the cost of recovering from a breach is far more expensive than conducting proactive testing to validate that the security products and services you have already purchased and implemented are working correctly. 

"To best defend against ransomware attacks, it’s essential to understand the common tactics, techniques, and procedures the adversary uses. In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors. Organizations that manage sensitive health information must adopt a threat-informed cyber-defense strategy tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK® framework, to measure an organization's cybersecurity readiness for the attacks that are sure to come. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim.”)

(Added, 9:30 PM ET, March 8th, 2023. Jon Miller, CEO & Co-founder of Halcyon, wrote to comment on, among other things, the depraved indifference of the ransomware gangs. "Ransomware operators continue to demonstrate zero concerns about the collateral damage caused by their attacks," he said. "In a case like this, where the delivery of medical care gets disrupted, they're quite literally putting people's lives at risk. It's hard to fathom why we would continue to see ransomware attacks as purely an IT security issue."

The gangs often work towards two related, but distinct, objectives. "Often, these criminal groups operate as proxies whose attacks serve two purposes. The first is financial gain and the second is to instill fear and create uncertainty. Clearly, current strategies are insufficient to defend against this threat. If we want to break this near-constant ransomware attack cycle, we must take a different approach. Healthcare organizations continue to be a top target for ransomware attacks, not just because the nature of their operations increases the likelihood of a quick payout, but also because attacks like this terrify the public."

The Barcelona attack should serve, Miller thinks, as a warning not just to healthcare, but to all critical infrastructure sectors. "Everything the staff and patients at the Hospital Clinic de Barcelona are currently experiencing highlights the dire need for healthcare and other critical infrastructure organizations to do everything they can to ensure daily operations continue regardless of ruthless attacks like this. Robust detection and prevention capabilities are necessary, but we know attacks can get through those defenses. Resilience from the endpoint to across the entirety of an organization's operations has never been more paramount than it is today in the face of this ransomware scourge." Disruption and suffering aren't, from the criminal's point-of-view, bugs. They're features.)