Earlier this week, on the night of February 11th - 12th 2024, a ransomware attack targeting Romania’s healthcare sector resulted in 100 hospitals being forced offline. The attack was mainly focusing on production servers where the Hipocrate Information System (HIS) IT system runs. Threat actors then deployed the BackMyData ransomware which encrypted confidential hospital data across 26 hospitals nationwide, and demanded a 3.5 Bitcoin ransom (approximately USD $175,000).
In a proactive response to the crisis, the Romania’s National Cyber Security Directorate (DNSC) disconnected 74 other healthcare organizations and hospitals linked to the HIS system from the internet and issued comprehensive directives to all hospitals. These include isolating impacted systems, preserving ransom notes and system logs, conducting thorough investigations to identify entry points, and ensuring system restoration through backups. DNSC has advised against any negotiation or payment to the perpetrators.
While these measures are intended to reduce prevent further data breaches, the consequences of having servers offline and severed internet connectivity meant that some hospitals had to revert back to pen and paper for patient administration and patient care.
What is BackMyData Ransomware?
BackMyData, identified as a ransomware variant affiliated with the Phobos family, operates by encrypting and renaming files, followed by presenting victims with ransom notes. Through analysis done by IBM X-Force, Phobos ransomware strains attempt to disable the firewall, delete shadow copies, prevent booting the system from recovery mode, eliminating potential restore points and exacerbating data recovery efforts.
Analyzing BackMyData Ransomware
Through the lens of IBM Security, IBM Security QRadar EDR autonomously reconstructs the ransomware infection via the Behavioral Tree, providing a user-friendly graphical visualization storyboard that shines a spotlight on key pertinent information in the attack. This greatly enhances analysts’ ability to contextualize the attack, and gain a rapid and thorough comprehension surrounding the facts presented, reducing overall Mean-Time-To-Resolve (MTTR).
As seen in the behavioral tree, analysts can start from the trigger point (blue circle), and continue the investigation in a sequential order. While an attack might contain thousands of events, QRadar EDR artificial intelligence (AI) engines present only key processes and behaviors involved in the infection, color-enriched to indicate the different levels of severity. In the initial phase, the highlighted key events include the Malicious.exe, Ransomware Behavior, Dropped and Duplicated Executables. Having a clear picture of the attack reduces any doubts that an analyst may have during the investigation, or incessant toggling between different user interfaces or tabs to derive an investigative outcome.
Subsequently in the attack, the following commands can be seen executed to ensure further success in the compromise:
Destra: Preventing Shadow Copy Deletion
Destra is a Lua (extended) engine that allows customization of detection and response scripts, executed directly on the endpoint. Destra resides on the endpoint and monitor devices to detect and act upon anomalies and threats. A key benefit of Destra is that they work even when the endpoint is offline or in an airgapped environment.
To stay protected against new, evolving ransomware strains and the next generation of cyber-attacks, organizations need to opt for a flexible behavioral-based endpoint strategy. Also, having near real-time accurate response can mean the difference between a compromised infrastructure and an unsuccessful breach.
IBM Security QRadar EDR is part of the IBM Security QRadar Suite, a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
For more information on EDR, please visit our website
Research Contributors: