Ahemdabad: When a team of experts from the National Forensic Sciences University (NFSU) checked the logs of the ransomware files at a city hospital after a cyberattack, they were surprised – the execution of the file, which took place at 2am, had been sitting pretty in the system since March!
“The latest attack was found to be of the ransomware of Phobos class, which has been around since 2018 and evolving continuously. According to our information, in the past one month, there have been two major attacks on hospitals and a major pharma company. Of the three cases, an FIR has been filed for only one,” said a senior cyber cell official.
“There could have been more such attacks, but the companies are often afraid of reporting such incidents fearing infamy and change in the company safety perception,” he added.
Sources privy to the investigation said that a delayed cyberattack is not uncommon, but fewer such cases have been reported in Gujarat so far.
“Such tactics are used by the attackers when they want to cover a very large ground and infect lateral systems. As seen in this case, even the backup servers were infected. It’s possible when the root directory is controlled by the attackers and the cyber security does not detect the impending attack,” said a cyber security expert.
NFSU sources said that while the system is up and running after a few days of the incident, the decryption of data is still going on. In a majority of the cases, decryption poses a major challenge. The hospital administration has been advised to adopt cloud storage to safeguard against such incidents in the future.
Sunny Vaghela, CEO of a city-based cyber safety firm, said that healthcare has remained a major target for country-based and international hackers because of the huge database the hospitals and pharma companies maintain.
“They often threaten to release the data on the dark web or sell it for a price. Prevention is better than cure, and here also, the demand for penetration testing is on the rise. Firewall breaches and delayed activation of the ransomware ‘payload’ indicate that active cyber safety measures remained ineffective. There could be many reasons for it including pending system updates to absence of real-time warning,” said Vaghela.
“After educational institutes, the healthcare sector is in the cross hairs of the hackers, and after last year’s attacks on AIIMS and Safdarjung hospitals, the sector has garnered attention,” he added.