Springhill Medical Center ransomware attack (2019)
|Suspected actor||Although neither the hospital nor the authorities publicly identified the hackers, security researchers believe the perpetrators to be from the Ryuk gang, also known as Wizard Spider Wizard Spider is a Russian-based cybercriminal group that at that time targeted hospitals, businesses, and government institutions.
The group is believed to have broken apart from the Business Club, an organisation operating against US institutions and businesses since 2007. However, Ryuk is based on an older ransomware Hermes used by the North Korean state-sponsored Lazarus Group, which is why they were initially thought to be behind the Ryuk ransomware.
|Target||Springhill Medical Center - a hospital in Mobile, Alabama, USA.|
|Target systems||It is not clear, but if Ryuk is behind this incident, it focuses on Microsoft Windows-based systems.|
|Method||The exact method used is also unknown. However, Ryuk is almost exclusively distributed through TrickBot or follows an infection with Trojan. It is a human-operated ransomware attack that uses sophisticated targeting and stealth tactics by carefully selecting its targets and conducting network surveillance.
Afterwards, the attackers deploy a post-exploitation framework, such as Cobalt Strike or PowerShell Empire, allowing them to perform malicious actions without triggering security alerts and encrypt files, usually using AES-256 and an RSA public key to encrypt the AES key.
|Purpose||Probably monetary gain, albeit the exact amount of the demanded ransom is unknown.|
|Result||Although the SMC continued its operations, it immediately shut down its systems and refused to pay the ransom. Due to that, medical staff could not access medical equipment and health records obtained during the last decades. Amid the shutdown, the size of the medical staff at the labour and delivery unit that controls the equipment monitoring fetal heartbeats significantly shrank, leaving room for error.
The medical staff then resorted to analogue technology and using text messages for communication. It is still unknown if the perpetrators obtained any data. According to the hospital, it restored its systems to service without paying the ransom demanded.
|Aftermath||The aftermath comes at the end of September 2021, when a woman filed a suit against the hospital, blaming it for her child's death. The child was born during the ransomware incident without any information regarding the security breach.
Due to the reduction of medical staff responsible for handling the equipment monitoring fetal heartbeats, the employees failed to recognise that the umbilical cord was wrapped around the child's neck, resulting in severe brain damage and its death nine months later. The ransomware left only one set of eyes on the monitors of all the labour units, which caused the misinterpretation or failure to recognise the data. If there had been more medical staff present, it could have prevented the child's death, as even the doctors admit.
In the negligence suit, the woman claims the hospital failed to inform her properly about the situation and misled her since it claimed the hospital could provide its regular services.
If the causality between the ransomware attack and the kid's death is proven, it will become the first death caused by a cyber incident.
|Analysed in||Scenario 05: State investigates and responds to cyber operations against private actors in its territory|
Collected by: Dominik Zachar
- The Wall Street Journal, "A Hospital Hit by Hackers, a Baby in Distress: The Case of First Alleged Ransomware Death", 30 September, 2021.
- Crowdstrike, "Adversary: WIzard Spider - Threat Actor", 2021.
- The Wall Street Journal, "The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: 'They Do Not Care'", 10 June 2021.
- CSO, "Ryuk ransomware explained: A targeted, devastatingly effective attack", 19 March 2021.
- HealthCareITNews, "Hospital ransomware attack led to infant's death, lawsuit alleges", 1 October 2021.
- Datto, "What is Ryuk Ransomware and How Does it Work?", 27 May 2021.
- CISA, "Alert (AA20-302A): Ransomware Activity Targeting Healthcare and Public Health Sector", 28 October 2020.
- CPO Magazine, "Ransomware Attack on Springhill Medical Center Leads to a Negligent Homicide Investigation After a Baby Dies", 7 October 2021.
- SecurityAffairs, "Baby died at Alabama Springhill Medical Center due to cyber attack", 1 October 2021.
- NBC News, "Baby died because of ransomware attack on hospital, suit says", 30 September 2021.
- CBS News, "Mom blames infant daughter's death on hospital attacked by ransomware", 1 October 2021.