TimisoaraHackerTeam Ransomware Attacks US Cancer Center

June 19, 2023 - HHS called attention to a resurfaced ransomware variant called TimisoaraHackerTeam (THT), which recently claimed responsibility for a June 2023 cyberattack on a United States cancer center. The group’s unique techniques and willingness to target hospitals make it a serious threat to healthcare organizations.

“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” HHS stated in a notification letter produced by the Division of Critical Infrastructure Protection within the Office of the Administration for Strategic Preparedness and Response (ASPR) and the Office of Information Security’s Health Sector Cybersecurity Coordination Center (HC3).

Researchers discovered the group in July 2018, when it surfaced with its characteristic tactic of abusing legitimate tools such as Microsoft Bitlocker, rather than developing its own tools to encrypt victim files.

THT is named after a Romanian town, and its source code also appears to have been produced by Romanian speakers. Researchers have not yet determined which overarching family the THT ransomware group belongs to.

What is known, however, is that the group is not against targeting hospitals, as exemplified by an April 2021 attack against a French hospital.

“Even among hackers, there is often a code of conduct not to attack hospitals or other HPH organizations that could cause physical harm,” HHS stated. “However, in their purposeful targeting of the healthcare sector, groups like THT abstain from that moral code.”

The group’s latest attack, against a US cancer center resulted in reduced patient treatment capabilities, the unavailability of digital services, and the possibility of exposed patient protected health information (PHI).

“THT encrypts files with a virus and places a .txt file, with instructions inside about the compromised system. Its ransomware variant, like the many ransomware Trojans, will take a victim’s files hostage, encrypting them with a strong encryption algorithm,” HHS said of its characteristic tactics.

“THT ransomware attacks seem to be carried out by taking advantage of poorly protected Remote Desktop access and targeted medium to large servers. THT has been known to utilize various exploits to gain initial remote access into a victim’s network. Most commonly, THT will employ Common Vulnerability Exploitations (CVEs) against vulnerable VPNs to gain initial access into a network and deploy a ransomware attack.”

Additionally, THT has been known to leverage zero-day vulnerabilities found in Microsoft Exchange servers, as well as recent vulnerabilities in Fortinet firewalls. The group may also use Living off the Land (LOTL) tools, which are hard for security teams to detect.

As always, healthcare organizations should remain on high alert and implement security defenses and a strong security training and awareness program to mitigate risk.