Springhill Medical Center ransomware attack (2019)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date July 2019.[1]
Suspected actor Although neither the hospital nor the authorities publicly identified the hackers, security researchers believe the perpetrators to be from the Ryuk gang, also known as Wizard Spider[2] Wizard Spider is a Russian-based cybercriminal group that at that time targeted hospitals, businesses, and government institutions.[1]

The group is believed to have broken apart from the Business Club, an organisation operating against US institutions and businesses since 2007.[3] However, Ryuk is based on an older ransomware Hermes used by the North Korean state-sponsored Lazarus Group, which is why they were initially thought to be behind the Ryuk ransomware.[4]

Target Springhill Medical Center - a hospital in Mobile, Alabama, USA.[5]
Target systems It is not clear, but if Ryuk is behind this incident, it focuses on Microsoft Windows-based systems.[6]
Method The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan.[6] It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.[3]

Afterwards, the attackers deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key.[7]

Purpose Probably monetary gain, albeit the exact amount of the demanded ransom is unknown.
Result Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom.[1] Due to that, medical staff could not access medical equipment and health records obtained during the last decades.[8] Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error.[9]

The medical staff then resorted to analogue technology and using text messages for communication.[5] It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.[1]

Aftermath The aftermath comes at the end of September 2021, when a woman filed a suit against the hospital, blaming it for her child's death.[10] The child was born during the ransomware incident without any information regarding the security breach.[11]

Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later.[1] The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data.[5] If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.[1]

In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services.[10]

If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.

Analysed in Scenario 05: State investigates and responds to cyber operations against private actors in its territory

Scenario 06: Cyber countermeasures against an enabling State

Scenario 14: Ransomware campaign

Scenario 20: Cyber operations against medical facilities

Collected by: Dominik Zachar