Editing Springhill Medical Center ransomware attack (2019)

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 9: Line 9:
 
|-
 
|-
 
! scope="row"|Target
 
! scope="row"|Target
|Springhill Medical Center - a hospital in Mobile, Alabama, USA.<ref name=":2">HealthCareITNews, "[https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges Hospital ransomware attack led to infant's death, lawsuit alleges]", 1 October 2021. </ref>
+
|Springhill Medical Center - a hospital in Mobile, Alabama, the USA.<ref name=":2">HealthCareITNews, "[https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges Hospital ransomware attack led to infant's death, lawsuit alleges]", 1 October 2021. </ref>
 
|-
 
|-
 
! scope="row"|Target systems
 
! scope="row"|Target systems
Line 16: Line 16:
 
! scope="row"|Method
 
! scope="row"|Method
 
|The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan.<ref name=":3" /> It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.<ref name=":1" />
 
|The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan.<ref name=":3" /> It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.<ref name=":1" />
Afterwards, the attackers deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key.<ref>CISA, "[https://us-cert.cisa.gov/ncas/alerts/aa20-302a Alert (AA20-302A): Ransomware Activity Targeting Healthcare and Public Health Sector]", 28 October 2020. </ref>
+
Afterwards, they deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key. <ref>CISA, "[https://us-cert.cisa.gov/ncas/alerts/aa20-302a Alert (AA20-302A): Ransomware Activity Targeting Healthcare and Public Health Sector]", 28 October 2020. </ref>
 
|-
 
|-
 
! scope="row"|Purpose
 
! scope="row"|Purpose
|Probably monetary gain, albeit the exact amount of the demanded ransom is unknown.
+
|Probably monetary gains, albeit the exact amount of the demanded ransom is unknown.
 
|-
 
|-
 
! scope="row"|Result
 
! scope="row"|Result
|Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom.<ref name=":0" /> Due to that, medical staff could not access medical equipment and health records obtained during the last decades.<ref>CPO Magazine, "[https://www.cpomagazine.com/cyber-security/ransomware-attack-on-springhill-medical-center-leads-to-a-negligent-homicide-investigation-after-a-baby-dies/ Ransomware Attack on Springhill Medical Center Leads to a Negligent Homicide Investigation After a Baby Dies]", 7 October 2021. </ref> Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error.<ref>SecurityAffairs, "[https://securityaffairs.co/wordpress/122820/security/child-dies-springhill-medical-center-ransomware.html Baby died at Alabama Springhill Medical Center due to cyber attack]", 1 October 2021. </ref>
+
|Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom.<ref name=":0" /> Due to that, medical staff could not access medical equipment and health records obtained during the last decades.<ref>CPO Magazine, "[https://www.cpomagazine.com/cyber-security/ransomware-attack-on-springhill-medical-center-leads-to-a-negligent-homicide-investigation-after-a-baby-dies/ Ransomware Attack on Springhill Medical Center Leads to a Negligent Homicide Investigation After a Baby Dies]", 7 October 2021. </ref> Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error. <ref>SecurityAffairs, "[https://securityaffairs.co/wordpress/122820/security/child-dies-springhill-medical-center-ransomware.html Baby died at Alabama Springhill Medical Center due to cyber attack]", 1 October 2021. </ref>
 
The medical staff then resorted to analogue technology and using text messages for communication.<ref name=":2" /> It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.<ref name=":0" />
 
The medical staff then resorted to analogue technology and using text messages for communication.<ref name=":2" /> It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.<ref name=":0" />
 
|-
 
|-
Line 29: Line 29:
 
Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later.<ref name=":0" /> The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data.<ref name=":2" /> If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.<ref name=":0" />
 
Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later.<ref name=":0" /> The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data.<ref name=":2" /> If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.<ref name=":0" />
   
In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services.<ref name=":4" />
+
In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services. <ref name=":4" />
   
 
If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.
 
If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.
Line 42: Line 42:
 
|}
 
|}
   
Collected by: [[People#Research_assistants|Dominik Zachar]]
+
Collected by: [[People#Research_assistants|???]]
   
[[Category:Example]]
+
<!--[[Category:Example]]
[[Category:2019]]
+
[[Category:2021]]-->
Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)