This week, Nubeva Technologies, which develops decryption tools focused on ransomware, published a case study describing how it was able to help one small hospital untangle a ransomware attack that had affected its IT systems.

WHY IT MATTERS

Nubeva says its LockBit decrypting tool was able to successfully recover data and restore healthcare operations after unauthorized access to the unnamed hospital's network resulted in deployment of LockBit 2.0 malware.

Serving a major Ohio metro, the 240-bed hospital with 800 employees fell victim to a zero-day vulnerability that allowed cybercriminals to breach its network and encrypt electronic health records, patient scheduling services and domain controllers governing medical systems and devices, the company says.

Consequences for patient care during the attack included increased wait times, overwhelmed emergency departments and disruptions in administering essential treatments to critically ill patients.

Nubeva claims its Ransomware Reversal product can decrypt ransomed data, sight unseen, eliminating the need for healthcare organizations to pay ransoms. According to its case study, the Ohio hospital had in place a robust IT infrastructure, data backup process and employee cybersecurity training program.

The hospital reportedly reversed the encryption and was able to restore critical systems quickly and reduce data loss with the LockBit decryptor system, which the company says helped the hospital control the costs of the ransomware incident.

Recovery times was four days, according to the case study. Deployed prior to the attack, the ransomware platform's sensors detected anomalous encryption activity and stored the file encryption keys in a secure key vault, according to the company's case study.

Nubeva also announced the launch this week of its Healthcare-Safety-Net program, which seeks to provide healthcare organizations that may be vulnerable to LockBit access to its ransomware recovery platform. 

THE LARGER TREND

In December, a LockBit ransomware attack on the Hospital for Sick Children in Toronto caused delays in retrieving lab and imaging results that affected employee timekeeping and pharmacy systems.

While the LockBit ransomware gang posted an apology and offered the hospital a decryptor, the hospital said it did not make a ransom payment.

Whether or not to pay ransom has long been a topic of debate across healthcare. It's not recommended, according to the U.S. Department of Health and Human Services, FBI and countless security leaders – but some hospitals will pay the ransom to decrypt files after an attack to gain access to critical data.

In 2021, the Health Sector Cybersecurity Coordination Center released a 31-page briefing on LockBit and its affiliate program and the FBI advises healthcare organizations to call the cyber operations center when an attack occurs and see if the government has a decryptor available.

There are times when the government wins, stopping ransomware gangs and getting decryptors. 

In January, the FBI announced that a fleet of International partners helped it hack and seize Hive ransomware operations. The FBI then provided more than 300 decryption keys to victims under attack and to more than 1,000 to previous victims.

ON THE RECORD

"Ransomware attacks have become an unfortunate reality for all organizations," said Nubeva researchers in the case study. "Healthcare institutions, in particular, have become prime targets for cybercriminals, given the sensitive nature of the data they handle and the critical services they provide."

Beyond LockBit, ransomware groups such as BlackCat, Black Basta and ClOP, "are relentlessly targeting healthcare organizations," added Steve Perkins, CMO at Nubeva.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.