Update: The hackers behind the cyberattack that disrupted the activity of multiple hospitals in Romania demanded a ransom of 3.5 BTC, or EUR 157,000. Romania’s National Directorate for Cyber Security recommended hospitals and authorities avoid contact with the attackers and refuse to pay.

According to the DNSC, the attackers' message does not specify a group name claiming the attack, but only an email address. The institution also said cyberattacks directed at four other healthcare units have been confirmed, but there is no indication of data exfiltration.

Hospitals using the Hipocrate platform, whether affected or not, have received from the DNSC a series of recommendations for properly managing the situation. Among these recommendations are the isolation of affected systems from the rest of the network and the avoidance of shutting down affected equipment so as to preserve evidence. The DNSC also advised restoring affected systems with the help of backups that are secure.

Twenty-one hospitals in Romania have been affected by the cyber attack so far. Prosecutors from DIICOT have already initiated an investigation into this case.

Initial story: Eighteen hospitals in Romania cannot report medical services, forcing patients to wait in emergency rooms after a ransomware cyberattack occurred on Monday morning, February 12, targeting a service provider for several health units. 

"Several hospitals are affected by the attack. At this moment, a team of DNSC specialists has been dispatched to the scene to investigate the cyber incident," the National Directorate for Cybersecurity said.

DNSC recommends that the IT teams of the hospitals should not be contacted, so they can focus on restoring IT services and data, which is a priority. 

Health minister Alexandru Rafila initially stated that between 15 and 20 hospitals in the country and in Bucharest are experiencing problems using the Hipocrate computer system.

"It's true. There are several hospitals facing issues with the use of an important computer program in hospital operations - it's called Hiprocrate. We don't know exactly how many hospitals are affected at the moment. We don't have the information, but we are working together with the National Cybersecurity Center to elucidate the causes and remedy them," the minister said, according to Agerpres.

An official press release from the Ministry of Health later specified that 18 hospitals were affected by the attack:

1. The Emergency Clinical Hospital for Plastic Surgery, Reconstructive Surgery and Burns, Bucharest 
2. Azuga Orthopedics and Traumatology Hospital "Dr. Constantin Opris" 
3. Baia Mare Emergency Hospital
4. "Sf. Apostol Andrei" County Clinical Emergency Hospital, Constanța 
5. "Prof. Dr. Al. Trestioreanu" Oncology Institute, Bucharest (IOB) 
6. "Dr. Alexandru Gafencu" Military Emergency Hospital, Constanța 
7. Sighetu Marmației Municipal Hospital 
8. Targoviste County Emergency Hospital 
9. C.F. Clinic Hospital No. 2, Bucharest 
10. Fundeni Clinical Institute 
11. Regional Oncology Institute Iași (IRO Iași) 
12. Buzău County Emergency Hospital 
13. Slobozia County Emergency Hospital 
14. Timișoara Institute of Cardiovascular Diseases 
15. St. Luca Chronic Diseases Hospital 
16. Colțea Clinical Hospital 
17. Medgidia Municipal Hospital 
18. Pitești County Emergency Hospital

"The information came from the Hipocrate system, which appears to have been attacked, and we stopped access to the public internet. Currently, we are operating offline. We have not sent patients home, and we continue our activity, albeit with a bit more difficulty," representatives of the "Bagdasar Arseni" Hospital conveyed.

It remains to be determined how the reporting and accounting of these services will be conducted because if they cannot be entered into the system, the hospitals will not be able to obtain funds from the National Health Insurance budget.

"Currently, a flood-type cyberattack towards a certain class of the hospital's public IP addresses is ongoing. We have blocked access to certain ports that were the target of the attacks. The attacks are coming from a botnet network and are still ongoing. Regarding the hospital's functionality, we are currently monitoring the attacks, and the services are not affected," announced Târgu Jiu County Hospital, cited by Digi24.

The administrator of the company that manages the Hippocrates system told Euronews Romania that there were backups and that system functionality could get back by Tuesday morning. 

radu@romania-insider.com

(Photo source: Georgejmclittle/Dreamstime.com)