A combined announcement from the Ministry of Health and the Nation Cyber Directorate in Israel describes ransomware attacks over the weekend that targeted the systems of nine health institutes in the country. In the combined broadcast, the Israeli government states that the attempts resulted in no harm to the hospital and the medical organizations, thanks to nation-level coordination and the quick and decisive revert of the local IT teams.

The two had taken out several defensive activities in the health sector to discover open vulnerabilities and protect them before the weekend arrived, mostly in the return to a Wednesday adversary on the Hillel Yaffe Medical Center.  

As it looks, though, these attempts were not enough to protect the revealed endpoints, and some healthcare associations were still hijacked over the weekend.

Major Points to Chinese Attackers

As per the local media reports, the attack is associated with a Chinese group of attackers utilizing the ‘DeepBlueMagic’ ransomware strain, which initially appeared in the wild in August this year.

DeepBlueMagin is also known to disable the security solutions that usually analyze and block file encryption attempts, permitting successful attacks. Examining the IOCs transmitted by the authorities, our experts determined that the attackers are utilizing the ‘BestCrypt’ hard drive encryption tool to encode devices.

Israel’s National Cyber Directorate has released indicators of compromise (IOCs) in the form of file hashes that have been seen in related attacks. The agency suggests that Israeli organizations perform the following steps:

1. Review the IOCs in the CSV file and check if they have been observed in their environment.
2. Perform an active scan of all systems and include the file hashes in the organization’s AV/EDR solutions.
3. Make sure all VPN and email servers are upgraded to the latest version to resolve any vulnerability that threat actors can use to gain access to internal networks.
4. If servers are not up to date, update them and perform password resets for all users.
5. Increase monitoring for unusual events in the corporate networks.
6. Report any breaches or unusual activity to the Israeli Israel National Cyber Directorate.

Hille Yaffe Still Struggling

In the meantime, the Hillel Yaffe Medical Center in the north of Tel Aviv is still fighting with the restoration of its systems, and the staff is practicing “pen a paper” to admit patients and circulate exams for the sixth day now. Even though there’s hope that the Hillel Yaffe Medical Center will return to normal operations in a few days, there are fears that some medical records will be unrecoverable.

This is because the ransomware actors reportedly accessed the backup system, wiping all copies stored there for emergency cases like cyberattacks. Reuven Eliyahu, the cybersecurity chief in the Health Ministry has confirmed that the mid-week attack was carried out by Chinese hackers in a statement today, and described the actors’ motives as “purely financial”.

“This is probably a Chinese hacker group that broke away from another group and started working in August,” Eliyahu said in an interview with Army Radio. “The motive for the attack was purely financial.”

However, a source in the cybersecurity industry has told our experts that the attribution to China is weak and that the attacks may have simply been port scans or probes into a network’s defenses. As for the ransom payment, the Hillel Yaffa center is a government-owned hospital, and as such, it won’t negotiate with hackers.