IBM Security QRadar

 View Only

IBM Security QRadar EDR vs BackMyData Ransomware: Ransomware forces 100 Romanian Hospitals to go Offline

By Albert Puah posted Fri February 16, 2024 05:00 AM

IBM Security QRadar EDR vs BackMyData Ransomware

Earlier this week, on the night of February 11th - 12th 2024, a ransomware attack targeting Romania’s healthcare sector resulted in 100 hospitals being forced offline. The attack was mainly focusing on production servers where the Hipocrate Information System (HIS) IT system runs. Threat actors then deployed the BackMyData ransomware which encrypted confidential hospital data across 26 hospitals nationwide, and demanded a 3.5 Bitcoin ransom (approximately USD $175,000).

In a proactive response to the crisis, the Romania’s National Cyber Security Directorate (DNSC) disconnected 74 other healthcare organizations and hospitals linked to the HIS system from the internet and issued comprehensive directives to all hospitals. These include isolating impacted systems, preserving ransom notes and system logs, conducting thorough investigations to identify entry points, and ensuring system restoration through backups. DNSC has advised against any negotiation or payment to the perpetrators. 

While these measures are intended to reduce prevent further data breaches, the consequences of having servers offline and severed internet connectivity meant that some hospitals had to revert back to pen and paper for patient administration and patient care.   

What is BackMyData Ransomware? 

BackMyData, identified as a ransomware variant affiliated with the Phobos family, operates by encrypting and renaming files, followed by presenting victims with ransom notes. Through analysis done by IBM X-Force, Phobos ransomware strains attempt to disable the firewall, delete shadow copies, prevent booting the system from recovery mode, eliminating potential restore points and exacerbating data recovery efforts. 

Analyzing BackMyData Ransomware 

Through the lens of IBM Security, IBM Security QRadar EDR autonomously reconstructs the ransomware infection via the Behavioral Tree, providing a user-friendly graphical visualization storyboard that shines a spotlight on key pertinent information in the attack. This greatly enhances analysts’ ability to contextualize the attack, and gain a rapid and thorough comprehension surrounding the facts presented, reducing overall Mean-Time-To-Resolve (MTTR).  

BackMyData Ransomware - Execution PhaseBehavioral Tree analysis on BackMyData Ransomware

As seen in the behavioral tree, analysts can start from the trigger point (blue circle), and continue the investigation in a sequential order.
While an attack might contain thousands of events, QRadar EDR artificial intelligence (AI) engines present only key processes and behaviors involved in the infection, color-enriched to indicate the different levels of severity. In the initial phase, the highlighted key events include the Malicious.exe, Ransomware Behavior, Dropped and Duplicated Executables. Having a clear picture of the attack reduces any doubts that an analyst may have during the investigation, or incessant toggling between different user interfaces or tabs to derive an investigative outcome.

BackMyData Ransomware - IBM Continued Phase Investigation
 Behavioral Tree analysis on BackMyData Ransomware Cont.

Subsequently in the attack, the following commands can be seen executed to ensure further success in the compromise:

Purpose CmdLine
 Deleting Backup Catalog    "wbadmin delete catalog -quiet"
 Disabling the Automatic Startup Repair    "bcdedit /set {default} recoveryenabled no"
 Preventing system to boot in Safe Mode    "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
 Shadow Copy deletion    "wmic shadowcopy delete"
   "vssadmin delete shadows /all /quiet"
 Disabling Endpoint Firewall    "netsh firewall set opmode mode=disable"
   "netsh advfirewall set currentprofile state off"


BackMyData Ransomware - QRadar EDR Events
Security Events Log

Within seconds of the infection, the AI engines autonomously stopped the BackMyData ransomware threat, mitigating any harm caused by file deletion or encryption. The alert is then automatically closed, reducing any extra actions needed by the security team. This end-to-end detection to containment is attained with default protection policies at out-of-box configurations, w
ithout the need to create any additional detection content or configuration changes. Organizations can further enhance their security posture by adding more security detection layers via Detection Strategy (Destras), providing early-stage warning signals on activities that behave outside the norm which extends to on-premise and air-gapped deployments.

QRadar EDR Destra - Ransomware Terminate Parent

Destra: Preventing Shadow Copy Deletion


Destra is a Lua (extended) engine that allows customization of detection and response scripts, executed directly on the endpoint. Destra resides on the endpoint and monitor devices to detect and act upon anomalies and threats. A key benefit of Destra is that they work even when the endpoint is offline or in an airgapped environment.

To stay protected against new, evolving ransomware strains and the next generation of cyber-attacks, organizations need to opt for a flexible behavioral-based endpoint strategy. Also, having near real-time accurate response can mean the difference between a compromised infrastructure and an unsuccessful breach. 

IBM Security QRadar EDR is part of the IBM Security QRadar Suite, a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.

For more information on EDR, please visit our website

Research Contributors: