July 3, 2023
A ransomware variant called TimisoaraHackerTeam (THT) recently made a cybersecurity attack on a U.S. cancer center. The attack impeded the medical facility’s digital services, resulting in privacy risks and security breaches, and eventually affected a significant volume of protected health information (PHI).
“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” HHS said in a notification letter coming from the Office of Critical Infrastructure Protection within the Administration for Strategic Preparedness and Response (ASPR) and the Office of Information Security’s Health Sector Cybersecurity Coordination Center (HC3).
Table of Contents
Introduction to TimisoaraHackerTeam
In July 2018, security researchers discovered the TimisoaraHackerTeam or THT, a ransomware source code allegedly named after a Romanian town called Timisoara. According to reports, the THT already attacked healthcare sector entities globally.
The TimisoaraHackerTeam ransomware distributes itself via a payload dropper. Through this method, THT spreads the virus around the network. The THT is a virus that encrypts files and places a .txt file with notes that your computer has been compromised. Over time, the THT ransomware will make multiple entries in the Windows Registry. These entries will continue to boot your Windows Operating System until it succeeds in encrypting all of your files.
Like other ransomware groups, THT demands Bitcoin ransoms to crack encrypted servers. When it surfaced, THT showed a powerful ability to use legitimate tools like Microsoft Bitlocker instead of developing its own to encrypt victim files.
TimisoaraHackerTeam is a financially motivated threat group but has largely stayed under the radar until it was discovered in July 2018. The cyberattack group actively targets huge healthcare and public health (HPH) organizations.
TimisoaraHacker Team vs U.S. Cancer Center
Five years after its discovery, the relatively unknown threat group resurfaced and made a ransomware attack on a U.S. cancer center last June 2023. This resulted in data security and privacy risks, eventually halting the medical center’s operations. Moreover, all their digital services became immediately unavailable, risking a massive number of patient-related information. This significantly affected and reduced the ability of the cancer center to provide proper and timely patient treatments.
Modus Operandi of the TimisoaraHackerTeam
Rather than using a customized tool, the TimisoaraHackerTeam utilizes BitLocker, Microsoft’s native disk encryption tool, and Jetico’s BestCrypt to cipher files to avoid being detected by the system. Its modus operandi is to gain initial access to HPH sector networks by exploiting Pulse Secure VPN vulnerabilities.
TimisoaraHackerTeam uses poorly configured Remote Desktop Protocol to move within networks. Moreover, THT also preys on the vulnerabilities of the Microsoft Exchange Server and Fortinet firewalls.
Previous Attacks of the TimisoaraHacker Team Ransomware Group
Before the U.S. cancer center ransomware attack, investigation traces found the THT group attacking an undisclosed French hospital in April 2021. While the group remains relatively unknown, it has resurfaced and continues to find its next target. Right now, what is clear is that it has a significant history of attacking medical facilities.
Like the DeepBlueMagic threat group, the TimisoaraHackerTeam group uses similar tactics by taking advantage of legitimate encryption tools and exploiting VPN vulnerabilities to gain access to a target’s network.
Implications and Recommendations for Network Defenders
A .txt file containing a demand note is a telltale sign that the TimisoaraHackerTeam (THT) group has successfully infiltrated a computer or network. When clicked, the file displays a threatening message asking for a specific amount of bitcoins (BTC) in exchange for file restoration. However, paying the ransom money does not guarantee the recovery of the encrypted and compromised information. Giving money to cybercriminals will only empower them to continue their scam activities.
Here are some tips to avoid being a victim of the TimisoaraHackerTeam ransomware group:
Boot your computer in safe mode
When you turn on your computer, it starts performing checks and automatically loads a list of installed programs. Booting your computer in safe mode will prohibit infected apps or software like the THT ransomware from running. To boot in safe mode, either press and hold the Shift key while the computer is starting or update your BIOS or UEFI settings. Please note that the procedures may vary depending on your type of Windows operating system.
Uninstall THT and other related malware from Windows
If your system is running slower than usual, a virus or malware may have found its way into your system. When this happens, you can scan your computer using a legitimate antivirus tool or malware scanner. These software are programmed to detect, isolate, and remove threats before they cause further damage.
Clean any registries from THT
The Windows registry contains all your important files and computer settings. THT and other malware can contaminate your registry, so make sure to remove redundant items using a secure and reliable registry cleaner.
Use end-to-end encryption
Powerful data encryption can protect your files from unauthorized groups or individuals during storage and transmission. Using secure and encrypted fax solutions like iFax can help mitigate risks and prevent PHI from being accessed or intercepted by malicious third parties.
Prevent Ransomware Attacks by Strengthening Privacy Protocols
The recent ransomware attack warns fellow medical facilities and network defenders that the THT group is still active. The group can still pose harm, leaving your sensitive files at risk, especially if your organization lacks the appropriate measures to detect and subdue viruses and malware.
