Springhill Medical Center ransomware attack (2019): Difference between revisions

From International cyber law: interactive toolkit
Jump to navigation Jump to search
No edit summary
(minor edits & activating the page)
Line 11: Line 11:
 
|-
 
|-
 
! scope="row"|Target
 
! scope="row"|Target
|Springhill Medical Center - a hospital in Mobile, Alabama, the USA.<ref name=":2">HealthCareITNews, "[https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges Hospital ransomware attack led to infant's death, lawsuit alleges]", 1 October 2021. </ref>
+
|Springhill Medical Center - a hospital in Mobile, Alabama, USA.<ref name=":2">HealthCareITNews, "[https://www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges Hospital ransomware attack led to infant's death, lawsuit alleges]", 1 October 2021. </ref>
 
|-
 
|-
 
! scope="row"|Target systems
 
! scope="row"|Target systems
Line 18: Line 18:
 
! scope="row"|Method
 
! scope="row"|Method
 
|The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan.<ref name=":3" /> It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.<ref name=":1" />
 
|The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan.<ref name=":3" /> It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.<ref name=":1" />
Afterwards, they deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key. <ref>CISA, "[https://us-cert.cisa.gov/ncas/alerts/aa20-302a Alert (AA20-302A): Ransomware Activity Targeting Healthcare and Public Health Sector]", 28 October 2020. </ref>
+
Afterwards, the attackers deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key.<ref>CISA, "[https://us-cert.cisa.gov/ncas/alerts/aa20-302a Alert (AA20-302A): Ransomware Activity Targeting Healthcare and Public Health Sector]", 28 October 2020. </ref>
 
|-
 
|-
 
! scope="row"|Purpose
 
! scope="row"|Purpose
|Probably monetary gains, albeit the exact amount of the demanded ransom is unknown.
+
|Probably monetary gain, albeit the exact amount of the demanded ransom is unknown.
 
|-
 
|-
 
! scope="row"|Result
 
! scope="row"|Result
|Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom.<ref name=":0" /> Due to that, medical staff could not access medical equipment and health records obtained during the last decades.<ref>CPO Magazine, "[https://www.cpomagazine.com/cyber-security/ransomware-attack-on-springhill-medical-center-leads-to-a-negligent-homicide-investigation-after-a-baby-dies/ Ransomware Attack on Springhill Medical Center Leads to a Negligent Homicide Investigation After a Baby Dies]", 7 October 2021. </ref> Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error. <ref>SecurityAffairs, "[https://securityaffairs.co/wordpress/122820/security/child-dies-springhill-medical-center-ransomware.html Baby died at Alabama Springhill Medical Center due to cyber attack]", 1 October 2021. </ref>
+
|Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom.<ref name=":0" /> Due to that, medical staff could not access medical equipment and health records obtained during the last decades.<ref>CPO Magazine, "[https://www.cpomagazine.com/cyber-security/ransomware-attack-on-springhill-medical-center-leads-to-a-negligent-homicide-investigation-after-a-baby-dies/ Ransomware Attack on Springhill Medical Center Leads to a Negligent Homicide Investigation After a Baby Dies]", 7 October 2021. </ref> Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error.<ref>SecurityAffairs, "[https://securityaffairs.co/wordpress/122820/security/child-dies-springhill-medical-center-ransomware.html Baby died at Alabama Springhill Medical Center due to cyber attack]", 1 October 2021. </ref>
 
The medical staff then resorted to analogue technology and using text messages for communication.<ref name=":2" /> It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.<ref name=":0" />
 
The medical staff then resorted to analogue technology and using text messages for communication.<ref name=":2" /> It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.<ref name=":0" />
 
|-
 
|-
Line 31: Line 31:
 
Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later.<ref name=":0" /> The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data.<ref name=":2" /> If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.<ref name=":0" />
 
Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later.<ref name=":0" /> The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data.<ref name=":2" /> If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.<ref name=":0" />
   
In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services. <ref name=":4" />
+
In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services.<ref name=":4" />
   
 
If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.
 
If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.
Line 44: Line 44:
 
|}
 
|}
   
Collected by: [[People#Research_assistants|???]]
+
Collected by: [[People#Research_assistants|Dominik Zachar]]
   
<!--[[Category:Example]]
+
[[Category:Example]]
[[Category:2021]]-->
+
[[Category:2019]]

Revision as of 15:43, 2 November 2021

This page is under construction.

Date July 2019.[1]
Suspected actor Although neither the hospital nor the authorities publicly identified the hackers, security researchers believe the perpetrators to be from the Ryuk gang, also known as Wizard Spider[2] Wizard Spider is a Russian-based cybercriminal group that at that time targeted hospitals, businesses, and government institutions.[1]

The group is believed to have broken apart from the Business Club, an organisation operating against US institutions and businesses since 2007.[3] However, Ryuk is based on an older ransomware Hermes used by the North Korean state-sponsored Lazarus Group, which is why they were initially thought to be behind the Ryuk ransomware.[4]

Target Springhill Medical Center - a hospital in Mobile, Alabama, USA.[5]
Target systems It is not clear, but if Ryuk is behind this incident, it focuses on Microsoft Windows-based systems.[6]
Method The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan.[6] It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.[3]

Afterwards, the attackers deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key.[7]

Purpose Probably monetary gain, albeit the exact amount of the demanded ransom is unknown.
Result Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom.[1] Due to that, medical staff could not access medical equipment and health records obtained during the last decades.[8] Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error.[9]

The medical staff then resorted to analogue technology and using text messages for communication.[5] It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.[1]

Aftermath The aftermath comes at the end of September 2021, when a woman filed a suit against the hospital, blaming it for her child's death.[10] The child was born during the ransomware incident without any information regarding the security breach.[11]

Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later.[1] The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data.[5] If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.[1]

In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services.[10]

If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.

Analysed in Scenario 05: State investigates and responds to cyber operations against private actors in its territory

Scenario 06: Cyber countermeasures against an enabling State

Scenario 14: Ransomware campaign

Scenario 20: Cyber operations against medical facilities

Collected by: Dominik Zachar