According to a joint release from Israel’s Ministry of Health and the National Cyber Directorate, a surge in ransomware operations over the weekend targeted the networks of nine health institutes.
In the joint statement, the Israeli government claims that the attacks caused no harm to hospitals or medical institutions.
Before the weekend, the two agencies conducted several defensive actions in the health sector to detect and address open vulnerabilities, primarily due to a Wednesday attack on the Hillel Yaffe Medical Center.
However, it appears that these measures were insufficient to safeguard the exposed endpoints since several healthcare organizations were compromised over the weekend.
According to local media sources, the attack was carried out by a Chinese gang of actors who used the ‘DeepBlueMagic’ ransomware strain, which first surfaced in the wild in August of this year.
DeepBlueMagic is notorious for disabling security systems that usually detect and stop file encryption attempts, allowing successful attacks.
Indicators of Compromise (IOCs) in the form of file hashes have been provided by Israel’s National Cyber Directorate, which have been seen in similar operations.
The agency recommends Israeli businesses take the following steps:
- Examine the IOCs in the CSV file to see if they’ve been seen in their environment.
- Conduct an active scan of all computers and incorporate the file hashes in the AV/EDR solutions used by the company.
- Ensure that all VPN and email servers are updated to the most recent version to prevent threat actors from gaining access to internal networks.
- Update servers and execute password resets for all users if they are not up to date.
- Increase corporate network monitoring for unexpected incidents.
- The Israel National Cyber Directorate should be notified of any breaches or suspicious behavior.
Meanwhile, the Hillel Yaffe Medical Center in Tel Aviv’s northwestern outskirts is still battling to restore its systems. The staff is now on their sixth day of using “pen and paper” to admit patients and issue exams.
In a statement released today, Reuven Eliyahu, the Health Ministry’s cybersecurity head, acknowledged that the mid-week attack was carried out by Chinese hackers and defined the attackers’ motivations as “purely financial.”
Even though the Hillel Yaffe Medical Center is expected to resume normal operations in a few days, there are concerns that some medical data will be lost. It’s because the ransomware attackers allegedly gained access to the backup system, wiping out all copies that had been saved for emergencies such as cyberattacks.
The Hillel Yaffa Center is a government-owned hospital, and as such, it will not even talk with hackers regarding ransom payment.