Contributed by George Mack, Content Marketing Manager, Check Point Software.


Hackers successfully infiltrated Witting Clinical Hospital in Bucharest and deployed a ransomware attack, encrypting troves of data and demanding Bitcoin payment in exchange for the decryption tool.

However, the hospital refused to pay. Instead, they continued their activities by filling out patient data on paper. While the entire world is going paperless, it looks like there is still some upside in doing things the old fashioned way.

According to Romania’s Intelligence Service, this ransomware attack, dubbed PHOBOS, is of the same ransomware variant that affected four other Romanian hospitals in the summer of 2019.

PHOBOS ransomware has a medium level of complexity, often distributed via hacked Remote Desktop Protocol (RDP) connections. Hacked RDP servers are cheap on the underground market, making them a popular attack vector among threat groups.

So why do hackers commonly target hospitals? It’s because healthcare operations are so critical –  lives are at risk and deadlines are short. Thus, hospitals may be more likely to pay the ransom, since it’s perceived as the fastest way to restore the network and and to restart patient care.

“With the risk of networks staying down for hours or even days, hospitals simply cannot afford the time it would take to recover if they did not pay a ransom,” said Justin Fier.

For example, in the recent ransomware attack on Ireland’s health service, the victims refused to pay the $20 million Bitcoin ransom demand. According to the Health Service Executive, a decryption tool was safely deployed to restore IT systems. However, it took weeks to decrypt just 75% of their servers, and other disruptions to patient services were expected to continue for some time.

Nonetheless, other hospitals may not have the luxury of waiting weeks to get all systems fully operational.

An analysis revealed that in 2020, criminals demanded an estimated $15.6 million in ransoms from healthcare organizations, and they ultimately received $2 million in payments.

To prevent ransomware, you must understand what cyber security measures to take. For prevention recommendations, read our recent interview with Devin Partida. In addition, sign up for the Cyber Talk newsletter, which provides robust cyber security insights for all sectors year-round.