Snake ransomware attack disrupts operations at hospital chain Fresenius Group

A major ransomware attack has disrupted operations at Germany-based Fresenius Group, Europe's largest private hospital operator whose dialysis products and services are in huge demand in the middle of the COVID-19 pandemic.

The ransomware attack was first reported to security researcher Brian Krebs of KrebsOnSecurity by an employee of Fresenius Kabi, a division of the Fresenius Group that supplies pharmaceutical drugs and medical devices. The employee told Krebs that "a cyber attack had affected every part of the company’s operations around the globe" and that the malware used in the operation was the dreaded Snake ransomware.

The trend of cyber criminals targeting healthcare institutions across the globe has been gaining pace recently, mostly because the use of legacy systems, unpatched medical devices and poor cyber security training at many hospitals and clinics enable criminals to sneak in malicious files to exfiltrate sensitive data or to blackmail the latter for ransom.

According to Krebs, the recent ransomware attack targeting the Fresenius Group is "worrisome" as the hospital's dialysis equipment is being used to treat many COVID-19 patients who are experiencing kidney failure. A shortage of dialysis kits could result in the apparent loss of life due to hospitals' inability to provide urgent care to patients.

Recently, the Fresenius Group said in a statement posted on its website that it is "postponing surgical procedures when medically justifiable and thereby expanding its capacity to care for COVID-19 patients". The company recently increased the number of intensive beds in its hospital network from 900 to 1,500 and is making 150 additional dialysis machines available to U.S. hospitals for the emergency treatment of COVID-19 patients.

When contacted by Krebs, a spokesperson from Fresenius confirmed that the organisation did suffer a computer virus attack and that IT security experts were working on solving the problem as soon as possible.

“I can confirm that Fresenius’ IT security detected a computer virus on company computers. As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible,” the spokesperson said in a written statement.

Hacker groups targeting healthcare organisations to access intellectual property and intelligence

The timing of the ransomware attack is interesting given that the National Cyber Security Centre and the U.S. Department of Homeland Security issued a joint statement this week to warn about ongoing activity by APT groups to target organisations involved in both national and international COVID-19 responses, such as healthcare bodies, pharmaceutical companies, and medical research organisations.

Through the joint statement, the two authorities highlighted how APT groups are carrying out large-scale "password spraying" campaigns to gain access to accounts belonging to organisations involved in the coronavirus response- especially healthcare bodies and medical research organisations.

The primary motive of such APT groups is to collect bulk personal information, intellectual property and intelligence that aligns with national priorities. NCSC observed that "actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research".

Commenting on the ransomware attack targeting the Fresenius group, Jamie Akhtar, CEO and Founder of CyberSmart, said that there has been an enormous spike in cyber-attacks since the beginning of the coronavirus epidemic and the healthcare industry, already stretched and now even more overwhelmed and distracted, is a prime target.

"The World Health Organisation has reported a five-fold increase in attacks over the last two months. It is critical that healthcare organisations prioritise security right now as a breach could have huge impacts. That means keeping all software up-to-date and making sure firewalls and security features are enabled at all times," he added.

According to Ilia Kolochenko, Founder & CEO of ImmuniWeb, the recent ransomware attack could have been carried out by opportunistic hackers armed with the information that Fresenius has already paid a 7-digit ransom in the past to recover from a similar attack. The attack is thus a colorful validation of the FBI’s warning not to pay a ransom.

Even though it is not clear how hackers were able to plant the ransomware inside the company's systems, the second successful cyber attack on its IT systems indicates that foundational security processes such as holistic patch management and network segregation are largely insufficient to deter or prevent cyber attacks, he added.