Cybercriminals, it is widely observed, have a fondness for weekends. This is not by chance—at weekends organizations are short-staffed, making this the best time to launch a cyberattack.
It’s a pattern that played out in a ransomware attack on the Romanian health system on Sunday, Feb. 11, that sent some of the country’s most important hospitals back to the world of pen and paper.
First reports put the number of hospitals affected at 18, which soon climbed to 21, then 25, and then 30. It quickly became apparent that this was only for starters.
The attack targeted the Hipocrate Information System (HIS), a service provider platform used by hospitals to store and manage patient data, which was encrypted. Because this is widely used across healthcare in Romania, around 75 other hospitals decided to unplug themselves from it as a precaution.
Given that no hospital IT team was sleeping easily at this news, it’s not an exaggeration to describe this incident as a Denial of Service attack on the entire Romanian health system.
The attack serves as a reminder of how exposed health systems remain to ransomware despite years of similar incidents.
The early warning was WannaCry in 2017, which among its many commercial victims, crippled dozens of National Health Service (NHS) Trusts in the United Kingdom. Not everyone believes the event was a simple ransomware attack but the potential for major disruption was palpable.
What happened to the Irish Health Service Executive (HSE) in 2021 was a much clearer case study. A download to a single workstation set off a Conti ransomware attack which in 2023 the Irish government reckoned had cost an estimated €144 million ($150 million) in response, recovery and upgrades costs. The eventual bill for the latter could take the bill to approaching €700 million.
According to security vendor Sophos, the frequency of ransomware attacks on healthcare doubled between 2021 and 2023. As with the latest attack on Romanian hospitals, encryption is still the main tactic against a sector that quickly struggles without data access for any period of time.
The most frustrating aspect of the attack is how basic it seems to have been. Full details of the incident have not been released, but press reports suggest that the ransom demanded was 3.5 bitcoins, equivalent to around €160,000 in mid-February.
By ransomware standards, this is peanuts. That could be because the attack was really a nation state attack in disguise (with ransomware it’s sometimes hard to tell) or because a small-time ransomware affiliate hit the big time and unexpectedly took down a healthcare system.
Either way, this incident looks like more bad news. If this was a commercial attack gone haywire, that suggests that even small and less sophisticated ransomware groups can now cause mayhem. Alternatively, nation states are stepping up their attacks against critical infrastructure. Neither is a good omen. We must hope that the healthcare systems of other countries have been better secured.