Healthcare information security

Analysis of ransomware used in recent cyberattacks on health care institutions

Daniel Dimov
July 21, 2020 by
Daniel Dimov


In recent years, there has been a steady increase in the number of ransomware attacks on healthcare institutions. The pressure such institutions experienced as a result of the COVID-19 crisis certainly exacerbated some of the reasons for the proliferation of such attacks. 

Fraudsters believe that the chaos created by the COVID-19 crisis will limit the information security capabilities of the targeted institutions, and those institutions will fall victim to ransomware attacks and pay the requested ransom. Many criminals started spreading ransomware by using phishing messages related to COVID-19. Such messages may purport to contain instructions on how to receive a vaccine against the virus for free or notify the health care institution that an order of COVID-19 ventilators was blocked.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

The purpose of this article is to provide a brief overview of some of the recent ransomware attacks on healthcare institutions. Afterwards, we identify patterns common amongst all those attacks. At the end of this article, we provide concluding remarks.


An overview of recent ransomware attacks on health care institutions

In this section, we examine three recent attacks on health care institutions. These are the attacks on 10x Genomics Inc., Michael Garron Hospital and Fresenius.

1. 10x Genomics Inc.

10x Genomics Inc. is a biotechnology company that develops gene sequencing equipment used in scientific research. The company provides equipment to Vanderbilt University Medical Center, which creates profiles of immune systems with the aim to develop potential antibody treatments for COVID-19.

10x Genomics was subject to a cyberattack based on the ransomware REvil. This type of malware spreads through phishing or brute-force attacks (i.e., attacks aiming to guess the correct passwords by sending multiple password entries). REvil is Ransomware-as-a-Service (RaaS), which means that the operators of the malware usually differ from its creators. 

Once REvil infects a computer, it encrypts the files stored on that computer and shows a message requesting the victim to pay a ransom in Bitcoin. If the ransom is not paid within the requested time period, the amount of the ransom will double.

The creators of REvil became infamous for organizing the first auction for stolen data. The auction took place in the dark web and allowed anyone to bid for data allegedly stolen from a Canadian agricultural company. The starting price was $50,000. The winner got more than 22,000 files stolen from the agricultural company.

Instead of initiating an auction, the operators of REvil decided to make publicly available an internal document owned by 10x Genomics Inc. The document reportedly contains information about the internal computer systems of the company and 1,200 of its employees.

2. Michael Garron Hospital

In 2019, Michael Garron Hospital became a victim of the Ryuk ransomware. The name Ryuk refers to a character from a Japanese comic book who is resistant to conventional human weapons.

This type of ransomware propagates through phishing and remains invisible for a few weeks or even a few months after infecting the targeted computers. During the time of inactivity, Ryuk transfers to its operators information about the compromised organization. At some point, Ryuk encrypts the files of the organization and requests ransom to decrypt them. 

Zohar Pinhasi, a cyber counterterrorism expert, noted that the operators of Ryuk “will learn how you operate from A to Z … then they'll hit you.” 

As a result of the Ryuk-based attack, Michael Garron Hospital was forced to use paper and telephone processes. The attack also led to the cancellation and rescheduling of some appointments with patients. Ryuk caused similar issues to three Alabama hospitals and several Australian hospitals. It is estimated that Ryuk generated about $3.7 million to its creators within five months of its appearance.

3. Fresenius

In 2020, Fresenius, one of the largest European private hospital operators, confirmed that a ransomware attack impacted its operations. The German company and its subsidiaries in more than 100 countries have about 290,000 employees. 

Reportedly, the malware used for the cyberattack on Fresenius was the Snake malware (the “Snake”). It was used against many high-profile cyberattacks, including the attacks on the auto manufacturer Honda and the energy company Enel Argentina.

The Snake is a relatively new malware (discovered in 2020) and is written in the programming language Golang. It spreads mainly through phishing. After the infection with the Snake, the malware stops processes related to remote management tools, virtual machines, network management software and supervisory control and data acquisition systems. When those processes are interrupted, the Snake encrypts the files on the infected computer, except for certain system files. The malware renames the files by adding five characters to the file extension names. Next, the Snake shows a ransom note recommending the purchase of a decryption tool.

Common patterns of ransomware attacks on health care institutions

The first common pattern of the three attacks examined above is the use of phishing for propagation. Phishing allows ransomware creators to exploit the weakest element in the information security element in an organization, namely, the human element. Therefore, health care institutions willing to protect against cyberattacks need to focus on enhancing the information security awareness of their staff.

The second common pattern is the encryption of the files stored on the infected computers. While some ransomware (such as Ryuk) remains inactive for some time prior to the commencement of the encryption process, other ransomware (such as the Snake) proceeds with the encryption shortly after the infection.

The third common pattern relates to requesting a ransom in cryptocurrencies to decrypt the locked files. All three ransomware applications request this type of ransom. The ransom amounts which fraudsters request from health care institutions are usually large and may reach millions of US dollars.

Concluding remarks

This article has shown that ransomware attacks may seriously interrupt the operations of health care institutions. For example, the attack on Michael Garron Hospital returned the hospital back to a time when most health-related data was exchanged through paper documents and telephones. 

However, the consequences of ransomware attacks on health care institutions may be much harsher than having to use paper. In some cases, such attacks may lead to suspension of the operation of life-sustaining equipment, such as dialysis machines and ventilators for COVID-19 patients. Therefore, it is of utmost importance for health care institutions to take preventive measures against ransomware. 

Since many ransomware attacks (including the three attacks examined above) rely on phishing to deploy malicious payloads to the targeted computers, the preventive measures need to include teaching staff members how to identify and neutralize phishing messages. 

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.



  1. Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing Scams, Electronic Frontier Foundation
  2. Here's what we know about the ransomware that hit 3 Ontario hospitals, CBC News
  3. ‘Wiping & Ransom’ Attack Targets Cloud Data Stored in MongoDB Databases, The Driz Group
  4. Hackers ‘without conscience’ demand ransom from dozens of hospitals and labs working on coronavirus, Fortune
  5. What is REvil Ransomware?, Infradata
  6. REvil Ransomware Gang Starts Auctioning Victim Data, Krebs on Security
  7. Major European private hospital operator struck by ransomware, ZDNet
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.