Major European private hospital operator struck by ransomware

Fresenius says despite IT system disruption, patient care is carrying on as normal.

Ransomware: New variant is after more than just your cash
1:09

Fresenius, Europe's largest private hospital operator, has confirmed a ransomware attack that has limited some operations. 

The Bad Homburg, Germany-based organization told cybersecurity expert Brian Krebs that a "computer virus" has caused a disruption, but there is no impact on patient care. 

Fresenius employs 290,000 employees in more than 100 countries through a range of businesses; a kidney failure medical provider, hospital and healthcare facility management and operation, and a pharmaceutical device and drug supplier arm. 

A relative working for one of these businesses in the US told KrebsOnSecurity that computers had been roped off, and it was thought that the virus in question is the Snake ransomware. 

See also: Logistics giant Toll Group hit by ransomware for the second time in three months

First spotted in 2019, Snake -- also known as Ekans --  has previously been spotted in attacks against the industrial sector

Snake targets Windows systems, encrypting files with a randomly-selected five-character file extension. A ransom note demanding cryptocurrency is then shown, together with an email address for payment. 

Sophos researchers say that files are encrypted via public keys and a note, such as the one below, is shown after being written to the desktop:

screenshot-2020-05-07-at-12-07-18.png

Sophos

CNET: Facebook says fake accounts used coronavirus content to attract followers

"As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread," Fresenius spokesperson Matt Kuhn said. "While some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible."

Relevant authorities have been informed of the cyberattack. The timing of the attack is also of interest, considering a joint warning published by the UK National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS) only this week which said state-sponsored advanced persistent threat (APT) groups are moving against healthcare providers in order to steal coronavirus research.

TechRepublic: Alarming number of pharma executive login credentials available on the Dark Web

"COVID-19 is allowing cybercriminals to gain a higher rate of return by targeting healthcare providers because they firmly believe that organizations will pay their way out of an attack when under high-pressure factors," commented Kelvin Murray, Senior Threat Research Analyst at Webroot. "As the services that medical facilities provide are essential and often cannot be disrupted without severe risk to patients, ransomware is a weapon of choice."

In related news this week, Australian logistics giant Toll Group revealed a second ransomware attack three months after first being targeted by the malware. 

The company said that Nefilim, a relatively new form of ransomware thought to be based on Nemty, was found on company servers. A range of IT systems, including some customer-facing services, have been disabled while Toll deals with the infection. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0