How an Ohio hospital decrypted LockBit ransomware

This week, Nubeva Technologies, which develops decryption tools focused on ransomware, published a case study describing how it was able to help a small hospital solve a ransomware attack that affected its IT systems. did.

why it matters

Nubeva says its LockBit decrypting tool was able to successfully recover data and restore healthcare operations after unauthorized access to an unnamed hospital’s network resulted in the deployment of the LockBit 2.0 malware.

Serving a major Ohio metro, the 240-bed hospital with 800 employees fell victim to a zero-day vulnerability that allowed cybercriminals to breach its network and gain access to electronic health records, patient scheduling services and controlled medical systems and equipment. Allowed to encrypt domain controllers that do, says the company .

The consequences for patient care during the attack included increased wait times, overburdened emergency departments, and disruptions in providing necessary treatment to critically ill patients.

Nubeva claims that its ransomware reversal product can decrypt ransom data that cannot be viewed, eliminating the need for healthcare organizations to pay ransoms. According to its case study, the Ohio hospital had a strong IT infrastructure, data backup process and employee cyber security training program.

The hospital reportedly reversed the encryption and was able to quickly restore critical systems and minimize data loss with the Lockbit Decryptor system, which the company says helped the hospital control the cost of the ransomware incident. .

The recovery time according to the case study was four days. According to the company’s case study, the ransomware platform’s sensors were deployed prior to the attack, which detected anomalous encryption activity and stored file encryption keys in a secure key vault.

Nubeva also this week announced the launch of its Healthcare-Safety-Net program, which seeks to provide healthcare organizations that may be vulnerable to LockBit access to its ransomware recovery platform.

big trend

In December, a LockBit ransomware attack on The Hospital for Sick Children in Toronto caused delays in receiving lab and imaging results, and affected employee timekeeping and pharmacy systems.

While the LockBit ransomware gang apologized and offered the decryptor to the hospital, the hospital said it did not pay the ransom.

Whether or not to pay the ransom has long been a point of debate in healthcare. It’s not recommended—according to the US Department of Health and Human Services, the FBI, and countless security leaders—but some hospitals will pay a ransom to decrypt files after an attack in order to gain access to critical data.

In 2021, the Health Sector Cyber ​​Security Coordination Center issued a 31-page briefing on LockBit and its associated program, and the FBI advised healthcare organizations to call cyber operations centers when an attack occurs and see if government pass decryptor is available or not.

Many times the government wins, stopping the ransomware gangs and getting the decryptors.

In January the FBI announced that a fleet of international partners helped hack and seize Hive ransomware operations. The FBI then provided over 300 decryption keys to the victims under attack and over 1,000 decryption keys to previous victims.

On the record

“Ransomware attacks have become an unfortunate reality for all organizations,” Nubeva researchers said in the case study. “Healthcare institutions, in particular, have become prime targets for cybercriminals, given the sensitive nature of the data they handle and the critical services they provide.”

Beyond LockBit, ransomware groups such as Blackcat, BlackBasta and Clop, “are increasingly targeting healthcare organizations,” said Nubeva CMO Steve Perkins.

Andrea Fox is a senior editor for Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.