100 Romanian hospitals shut down due to ransomware attack.

Authorities in Romania have reported that the Hipocrate platform has been disabled in at least 100 hospitals following a cyberattack using ransomware. Authorities confirmed that the attack affecting the Hipocrate Information System (HIS) disrupted at least 100 hospitals.

Hipocrate Information System (HIS) is a software package designed to manage the medical and administrative activities of hospitals and other healthcare facilities. The attack occurred on February 11 and caused data encryption on production servers.

"On the night of February 11-12, 2024, the production servers running HIS information technology were hit by a large-scale cyberattack by ransomware. As a result of the attack, the system was shut down and files and databases were encrypted," the Romanian Ministry of Health said.

Initially, the number of affected hospitals was 21, but authorities later confirmed that the number had risen to 25. Another 79 hospitals have shut down their systems as a precautionary measure. Romania's Health Ministry added that cybersecurity specialists, including cybersecurity experts from the National Directorate for Cybersecurity, are monitoring the situation.

The Romanian government also announced emergency precautionary measures to prevent other hospitals from being hit until that case. DNSC reported that the ransomware attackers used a variant of the Phobos ransomware family known as Backmydata ransomware. The threat actors are demanding a payment of 3.5 BTC (about 157,000 EURO).

"Hospitals utilizing the HIPOCRATE platform, whether they have been affected or not, are being advised by DNSC as of yesterday of a series of recommendations to properly manage the situation," according to DNSC.

Identify affected systems and immediately isolate them from the rest of the network and the Internet.

Do not turn off the affected equipment. Stopping it will delete evidence stored in volatile memory (RAM). Collect and retain all relevant information from system logs not only from the affected equipment, but also from network equipment and firewalls. Examine the system logs to identify the mechanism by which the IT infrastructure was compromised.

Alert all employees immediately and notify affected customers and business partners of the incident and its scope. Restore affected systems based on backed up data after a complete system cleanup. Absolutely ensure that backups are intact, up-to-date and protected from attack. Ensure that all programs, applications and operating systems are updated to the latest versions and that all known vulnerabilities are patched.

It is currently unclear whether the hackers stole sensitive data from the affected organizations.