The attack on the Hospital Clinic de Barcelona was orchestrated from outside of Spain by a group called RansomHouse

A ransomware attack on one of Barcelona’ s main hospitals has crippled the centre’s computer system and forced the cancellation of 150 nonurgent operations and up to 3,000 patient check-ups.

The attack on the Hospital Clinic de Barcelona shut down computers at the facility’s laboratories, emergency room and pharmacy at three main centres and several external clinics.

The attack was orchestrated from outside of Spain by a group called RansomHouse.

“The spokesperson for the hospital defined that the attack originated outside of Spain,” said Avishai Avivi, CISO at SafeBreach. “This means that the malicious actors could breach the hospital network remotely.

“The malicious actors were able to spread laterally – considering that multiple locations were shut down (laboratories, emergency rooms, pharmacies, and several external clinics).

“This suggests that the hospital’s networks were not properly segmented and segregated from each other,” he added.

No ransom demand made

It is understood a ransom demand has yet to be made, but that payment is unlikely to be made if it is.

A Catalonia regional government statement said the region’s Cybersecurity Agency was working to restore the system.

It is another example of cyber criminals targeting public infrastructure and healthcare providers, according to Victor Acin, Threat Intelligence Labs Manager at Outpost24. “In February this year [RansomHouse] breached the Italian healthcare company HS Hospital Service,” he said. 

“The effect of cyberattacks on public infrastructure, especially in healthcare, is considered beyond limits by many groups due to the risks it poses to human life. Still, some groups take advantage of this risk to further pressure the organisations and obtain a higher pay-out sooner.”

At this early stage it is possible to deduce several things about the attack, including the fact it could have been prevented by basic cyber hygiene, according to Avivi.

“Better security at the perimeter to prevent the adversary from getting the initial foothold. Better network segmentation and segregation and a comprehensive patching policy would have prevented the malicious actors from being able to spread laterally.

“Next, good egress controls like data leakage prevention (DLP) technology would have prevented the data exfiltration.

“[Cyber-criminal gang] RansomHouse does not usually encrypt the data. That said, having a good backup strategy can ensure the organisation doesn’t lose access to its data.

“Finally, once all the security controls above are in place, the organisation must validate that they are operating as designed and as expected. They need to do this by performing adversary simulations.”