The Health Sector Cybersecurity Coordination Center (HC3), which was created by the Department of Health and Human Services, recently warned healthcare providers about a “relatively unknown” ransomware gang that is beginning to attack organizations in the healthcare sector.
HC3 issued an alert on a cybercriminal group called TimisoaraHackerTeam (THT). The group was discovered in July 2018 but has remained pretty incognito since then, the alert said.
THT’s origin seems to be from Romania — it is named after a Romanian town and its source code looks like it was created by Romanian speakers.
Most ransomware groups build their own tools to encrypt victims’ data, but THT leverages legitimate software tools like Microsoft’s BitLocker and Jetico’s BestCrypt to deliver its malware. Ransomware gang DeepBlueMagic has also been known to use this tactic. The group is believed to have waged a cyberattack against Hillel Yaffa Medical Center, an Israeli hospital, in 2021. Some Chinese hacking groups, such as APT41, use this tactic as well.
THT could potentially have a relationship with these groups, according to HC3’s alert.
The gang unleashes its malware mainly through spam emails and email attachments. Organizations that fall victim to a THT attack will notice that their files have been encrypted by ransomware, and they will receive a ransom note with payment instructions to help them recover their data.
Heard at HLTH 2024: Insights from Innovative Healthcare Executives
Executives from Imagine360, Verily, BrightInsight, Lantern, and Rhapsody shared their approaches to reducing healthcare costs and facilitating digital transformation.
A U.S. cancer center was hit with a THT ransomware attack this month, HC3 said. The incident “significantly reduced patient treatment capability,” took digital services offline, and put patients’ health and personal data at risk of exposure.
HC3’s alert pointed out that this attack demonstrates that THT does not follow the same code of conduct that many hackers do — a code that stipulates ransomware attacks not be waged on hospitals and other healthcare providers. Another cyberattack on the healthcare sector — one suffered by a French hospital in April 2021 — was also loosely attributed to THT because it used legitimate software tools to deploy malware.
“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” HC3’s alert explained.
Healthcare providers should be wary of potential THT attacks and remember that they are vulnerable due to their “high propensity to pay a ransom, the value of patient records and often inadequate security,” HC3 said.
Photo: Traitov, Getty Images