On 5 September, a hacker used ransomware to attack Saraburi Hospital, the largest hospital in Saraburi Province.
One doctor wrote a Facebook post describing a scene of chaos as medical staff lost access to systems and data. They resorted to asking patients for their past prescriptions and delivering printed lab results by hand.
What is ransomware
Ransomware is a computer virus that locks files and systems with a digital key that only the perpetrator possesses. The virus then leaves a “ransom note” on the infected computers. The note usually demands payment by bitcoins, a cryptocurrency that conceals the identity of its owners by design.
In return, the hacker “promises” to provide the decryption key, which would “help” their victim regain access to the encrypted files.
What happened in Saraburi
At Saraburi Hospital, the ransomware likely infected one of the computers, then breached into the central server and encrypted the files there. This effectively prevented doctors and medical personnel from accessing most patient records, lab results, and prescriptions.
The virus may have hidden in spam email attachments that someone opened using a computer connected to the hospital’s network. Or else, the hacker may have hacked into the hospital’s remote desktop protocol (RDP), a tool IT departments typically use to fix computer problems remotely.
Either way, the virus managed to get into the hospital’s networks, affecting not just one computer but the entire hospital.
Why a hospital
Hospitals are prime targets for cybercriminals, as they keep life-and-death information about patients.
In 2017, the United Kingdom and the rest of the world were hit by a ransomware virus called WannaCry, thought to have originated from North Korea.
As a result, many of the UK’s National Health Service trusts were affected, causing patients rescheduling and diverting ambulances to unaffected hospitals.
Never pay the ransom
By most cybersecurity experts’ recommendations, the victim should never pay the ransom.
Firstly, paying ransom encourages hackers to commit more cybercrimes.
Secondly, you’ll be known as easy prey by the hackers. There’s a theory that the ransomware industry shares so-called “sucker lists.” They consist of victims who gave in and paid up.
Lastly, a “promise” of a decryption key by the hackers is not to be trusted. It is common that after the victim pays, the hacker demands more.
How to recover
The ransomware virus that attacked Saraburi hospital, VoidCrypt, is relatively new and uses an advanced encryption method, RSA-2048. Therefore, it is nearly impossible to decrypt the affected files without the hacker’s key.
There’s not much hope for the hospital getting the latest records back. They will have to rely on data backup.
Hospitals are at risk because they need to open unfamiliar emails from suppliers and pharmaceutical sales reps. Antivirus software is mostly ineffective because the encrypted ransomware would render scans useless.
How to prevent
Hence, the most effective way to mitigate an attack is to back up the data, frequently and securely. Hospitals should invest in automated backup systems that retrieve the critical data hourly, or at least daily. So when worst comes to worst, only a minimal amount of data is lost.
They should also introduce redundant backups, with at least one offline backup, to prevent a scenario where a virus can access online backups.