A hospital in Belgium has suffered a cyberattack that has seen approximately between 40 and 80 of its 300 servers encrypted using Windows BitLocker. The hackers claim to have encrypted around 100TB of data but maintain that they do not steal data prior to file encryption so there will be no data leak if the hospital does not pay the ransom.
The attack differs from many of the attacks on U.S. healthcare providers in recent months. First, the attackers do not run a ransomware-as-a-service operation where affiliates hack victims’ networks and deploy ransomware for a cut of the profits. Second, this is not strictly speaking a ransomware attack, although the outcome is the same. Rather than use ransomware to encrypt files, the attackers use off the shelf software to encrypt files. In this case it was Windows BitLocker, but other attacks have seen DiskCryptor used. The attackers also do not encrypt all files and devices, instead they search for devices with large numbers of files such as file servers and backup servers and only encrypt those.
CHwapi hospital issued a press release about the attack and claimed that no ransom demand was issued; however, the group behind the attack maintains a ransom.txt file was dropped on domain controllers and backup servers.
The attack has forced IT systems offline and has caused some disruption to patient services. Treatment continues to be provided to patients, although the hospital has stopped receiving patients from the 100 service. Those patients are being redirected to alternative healthcare facilities.
Some nonelective appointments have had to be postponed after the attack on Sunday, although the hospital is slowly recovering and was able to resume surgical operations on Wednesday. The distribution of COVID-19 vaccines was unaffected. The hospital maintains no patient data was compromised in the attack.