Dutch healthcare IT firm ChipSoft suffered a ransomware attack, forcing services and its HiX platform offline, impacting hospitals and patients.

ChipSoft, a major Dutch provider of EHR systems, was hit by a ransomware attack that forced it to take its website and digital services offline, disrupting access for hospitals, healthcare providers, and patients.

EHR (Electronic Health Record) is a digital version of a patient’s medical history, stored and managed by healthcare providers.

The company’s flagship HiX platform, widely used across the Netherlands, was impacted, with users reporting outages earlier this week.

The ransomware attack occurred on April 7, and the Dutch CERT Z-CERT has been coordinating closely with the vendor and healthcare institutions. As a precaution, access to key services like Zorgportaal, HiX Mobile, and Zorgplatform was disabled, with systems now being gradually restored and new credentials issued to users.

Hospitals have mainly faced logistical disruptions, such as increased calls and added support staff, according to the Dutch CERT, no critical care services have been halted. Z-CERT continues to assist by providing guidance, monitoring the situation, and helping organizations detect, respond to, and recover from the incident while minimizing its overall impact.

“As previously reported, software vendor ChipSoft was hit by a ransomware attack on Tuesday, April 7. Since then, Z‑CERT has been in constant contact with ChipSoft, healthcare institutions, and other involved parties to monitor the situation and provide appropriate support.” reports the Dutch Z‑CERT.

“ChipSoft maintains direct contact with users of the software and provides them with a course of action. In their communication, ChipSoft indicates that all connections to the Zorgportaal, HiX Mobile, and the Zorgplatform have been disabled as a precaution and are currently unavailable. ChipSoft has started bringing the systems back online in phases, during which users are receiving new login credentials. Z‑CERT continues to closely monitor these developments and will inform participants as soon as there is reason to do so.

Local media [1, 2] confirmed the cyberattack, citing an internal memo warning of possible unauthorized access. The company told healthcare providers it is working to limit the impact and advised them to disconnect from its systems until remediation and cleanup activities are fully completed.

Hospitals in Roermond and Weert closed patient portals after the ransomware attack on ChipSoft, blocking access to records and appointments. Care continues, but staff assist patients due to system outages. Other hospitals report limited or no impact, with systems monitored.

“Most hospitals have not taken their patient portals offline. Eleven hospitals have done so, according to a survey by the NOS. At least nine of these are hospitals that have linked their patient records to ChipSoft’s systems to a greater extent than most other hospitals.” reported the Dutch media NOS.

Patient portals at several Belgian hospitals also went offline after the cyberattack on ChipSoft. The disruption affected multiple facilities, highlighting the cross-border impact of attacks on shared healthcare IT providers.

“Online patient portals at several Belgian hospitals went offline following a cyberattack targeting a Dutch software provider, daily Le Soir reported Friday. The disruption affects patient portals at Hospital aan de Stroom in Antwerp, Hospital Oost-Limburg, and Delta Hospital in Roeselare.”

“The incident is linked to a cyberattack on Netherlands-based software company ChipSoft, which supplies electronic patient record systems and healthcare platforms.” reported the Belgian website AA.

Cyberattacks targeting healthcare IT providers are especially dangerous and attractive to threat actors because these companies act as centralized hubs serving many hospitals and clinics at once. By compromising a single provider, attackers can potentially access or disrupt multiple organizations simultaneously, amplifying the impact. These systems store and process vast amounts of highly sensitive data, such as medical records, personal information, and billing details, which can be exploited for extortion, fraud, or resale.

In addition, healthcare operations depend heavily on the availability of these platforms. Any disruption can affect patient care, creating urgency for rapid recovery. This pressure often makes victims more likely to pay ransoms, increasing the financial incentive for attackers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, healthcare)

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to be a treasure trove of intelligence on the cybercrime enterprise. The BlackBasta gang consists of former Conti ransomware members and it should come as no surprise that their operations are similar in nature and structure.

Ransomware researchers have several valuable resources to conduct investigations with nowadays. This includes ransomware.live, which contains several resources including ransomch.at, a collection of negotiation chats between ransomware gangs and their victims, as well as the ransomware tool matrix and ransomware vulnerability matrix. These resources allow to deeply understand the capabilities and motivations of these ransomware gangs. However, leaked chat logs are the final missing piece of the puzzle and offer a deeper understanding from the cybercriminal’s very own perspective and organisational structure.

Active since April 2022, BlackBasta is one of the top-tier ransomware gangs and one of the largest cybercrime enterprises in the world. According to the US Cybersecurity Infrastructure and Security Agency (CISA), BlackBasta impacted up to 500 different businesses and critical infrastructure in North America, Europe, and Australia as of May 2024.

The importance of the Ascension Health incident

This blog shall dive deep into the Ascension Health attack by BlackBasta. It is a step-by-step extraction of the conversation between the BlackBasta members while they decide how to handle the attack.

The new insights around how BlackBasta and other ransomware gangs perceive being involved with incidents at healthcare sector victim should prove useful for incident responders, law enforcement, and governments that have to resolve these types of attacks on the healthcare sector on an alarmingly regularly basis.

Background

On 9 May 2024, mainstream news organisations in the US reported about a cyberattack and significant disruption of services of Ascension Health, one of the largest healthcare providers in the country. On 11 May 2024, BleepingComputer reported that BlackBasta was to blame for the attack on Ascension Health and that ambulances had been disrupted and patients were being redirected to other hospitals.

How the Incident Began

The BlackBasta attack on Ascension Health began many months before the ransomware was deployed on their network. Reconnaissance of Ascension Health by members of BlackBasta began around 3 November 2023. They shared 14 email addresses of Ascension Health employees, which we can only assume were used for phishing or password guessing. Ransomware gangs often used Zoominfo to profile their targets to determine whether it is worth it for them to attack and get a ransom from them.

The ransomware gang themselves wrote in their Matrix chat that CBS News had written about a cyberattack on Ascension Health on 9 May 2024 and exclaimed that “it looks like one of the largest attacks of the year.”

Another BlackBasta member “gg” confirmed in the chat that it was them and appeared to be surprised that the news was writing about it.

Later, “gg” appeared to feel bad about the attack and concerned that cancer patients were suffering. However, at this stage it is hard to tell if they are serious or being sarcastic.

One member of BlackBasta who used the moniker “tinker” then stated that he wanted to be the negotiator for the BlackBasta team and began to strategize how to extract a ransom payment.

“gg” says they encrypted Ascension Health’s network using the Windows Safe Mode Boot technique, which is a function that BlackBasta is well-known to do.

The negotiator, “tinker” begins to weigh up their options. He states he believes the FBI and CISA will be involved, as well as Mandiant and begins to compare the incident to the Change Healthcare attack by ALPHV/BlackCat (and later RansomHub) who received a 22 million USD ransom payment.

“gg” shares that all the stolen data was put on a server named “ftp8” and tagged as “ALBIR_DS” and says to “tinker” that he should “look at the folder name, everything we downloaded from them is there."

The operator, “gg” also shared a summary of the target environment of Ascension Health. This includes number of servers being over 12,000, what security tools they use such as Cylance, Tanium, and McAfee. Plus, “gg” said they downloaded over 1.4TB of data to "ftp8" and used BlackBasta ransomware version 4.0 and attacked them on 8 May 2024.

Interestingly, “gg” appears to have also recommended to bluff to the victim that they stole more than 1.5TB and say to the victim that they stole 3TB instead.

Negotiation Strategizing

After having established the details of the incident, Tinker (the negotiator) began to wonder about the likelihood of getting a ransom payment as well as estimate how much Ascension Health is likely losing per day.

Tinker (negotiator) then explains to the rest of the BlackBasta members involved in the attack what course of action they should take to get the ransom from Ascension Health. Tinker says they would normally set a 3% of the annual revenue and negotiate from there. They note that there are clear problems with the victim being a hospital and that this attack followed the Change Health attack by ALPHV/BlackCat. They also noted that they are worried as they believe the US National Security Agency (NSA) attacked TrickBot's servers four years ago and that the FBI took down Qakbot more recently. Tinker is  also worried that one of Ascension Health’s patients will die and they will be blamed and labelled as a terrorist attack.

Tinker also noted that when BlackSuit attacked Octapharma that it was labelled by the news as "hostile actions by Russia" and they warned that Conti was already under sanctions and that because they are tied to Conti they may not get paid.

Tinker, ransomware negotiator for BlackBasta, ultimately recommended giving the decryptor for free to Ascension Health and resorting to data theft extortion. This is notable, as it is a similar situation to the Irish HSE ransomware attack by Conti, who also provided the decryptor for free.

As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.

Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during the COVID-19 pandemic to avoid attacking healthcare providers has been abandoned. It’s clear that hospitals are now fair game.

Ransomware attacks on the healthcare sector cause real harm to patients, impacting survival rates and threatening other critical services. And ransomware targeting other critical infrastructure carries serious implications for public health and safety.

Ransomware in life-and-death situations

Hospitals depend heavily on digital systems for managing patient care. When a ransomware attack strikes, these systems go offline, with often tragic results. Research highlights the risks: There’s been a 300% increase in ransomware attacks on healthcare since 2015. This led to a spike in emergency cases, including strokes and cardiac arrests, at hospitals overwhelmed by patients diverted from facilities hit by cyberattacks.

A study by the University of California San Diego showed that ransomware attacks on hospitals cause a spillover effect. This means neighboring hospitals see a surge in patients, leading to cardiac arrest cases jumping 81%. Survival rates also dropped for those cardiac arrest cases.

One recent example is the ransomware attack on Synnovis, a pathology services provider to the NHS in London. The attack caused problems with blood tests and transfusions, delaying crucial cancer treatments and elective procedures across several hospitals. This disruption illustrates a common trend in healthcare-related ransomware incidents: Delayed testing and procedures can become life-threatening as time-sensitive treatments are postponed or missed altogether.

In another study of two urban emergency departments adjacent to a healthcare organization under attack, researchers noted significant increases in patient volume, longer waiting times and increases in patient “left without being seen” rates. These delays, according to the study, underscore the need for a disaster response approach for such incidents.

In some cases, the tragic consequences of ransomware in healthcare have been documented in legal proceedings. In 2020, a woman sued an Alabama hospital, claiming that a ransomware attack had contributed to the death of her newborn daughter. The hospital’s computer systems were offline during delivery, preventing access to critical monitoring tools and allegedly leading to severe birth complications. While the case has been settled, it raises the question of whether similar events may have occurred without public awareness.

Ransomware impacts beyond healthcare

While the healthcare sector’s vulnerability to ransomware is uniquely tragic, critical infrastructure sectors are also facing increased risks. When Colonial Pipeline, a major fuel distributor, was hit by ransomware in 2021, it led to fuel shortages across the Eastern U.S. Though no direct fatalities were reported, the panic that ensued may have resulted in at least one fatal car accident as people rushed to stockpile fuel.

In critical infrastructure sectors, the potential for loss of life or injury is significant. Attacks on power grids, water supplies and transportation systems could have severe consequences. Researchers warn that a ransomware attack on an energy grid, for example, could disrupt power to hospitals, emergency services and vulnerable populations, putting lives at risk. If the healthcare industry can serve as a lesson, the fallout from critical infrastructure attacks is not a hypothetical but a looming possibility.

Read the Threat Intelligence Index

How ransomware threats exploit vulnerabilities in healthcare

Healthcare facilities are attractive targets for ransomware for several reasons. First, they hold a wealth of sensitive patient data, including medical histories, personal information and financial details. The cost of downtime in healthcare is especially high. When health centers are crippled by ransomware, people’s lives are at stake, making hospitals more likely to pay a ransom quickly. Healthcare ransomware incidents result in an average payment of $4.4 million, according to recent studies from the second quarter of 2024.

Additionally, healthcare facilities often use complex and outdated infrastructure, relying on an assortment of vendors and legacy systems that can be difficult to secure. A lack of centralized cybersecurity across networks further increases vulnerabilities, allowing ransomware groups to infiltrate systems and cause cascading disruptions.

Evidence of ransomware’s lethal potential

Although establishing a direct causal link between ransomware attacks and fatalities can be complicated, recent data provides compelling insights. One analysis estimates that from 2016 to 2021, between 42 and 67 Medicare patients died as a result of ransomware attacks. And this doesn’t include private insurer data. Research also highlights the broader health impacts, including reduced care quality and delayed treatments. During cyber incidents, hospitals often resort to manual processes that lack the safety checks and efficiency of electronic health records, increasing the risk of error and missed diagnoses.

The problem isn’t limited to fatalities. Ransomware-induced delays can exacerbate health issues, resulting in long-term complications and higher healthcare costs. A delayed diagnosis can mean the difference between life and death for conditions like heart disease, stroke and sepsis. Ransomware attacks may, therefore, lead to excess deaths, even if the connection is indirect.

The need for resilience against ransomware attacks

To mitigate the impact of ransomware on patient care, some hospitals have begun implementing ransomware response protocols, such as Children’s National Hospital’s “Code Dark” procedures. These response protocols are designed to maintain continuity of care when systems are down, including clear instructions for manual record-keeping, communication protocols and patient triage. Yet, these steps can only go so far. True resilience requires proactive measures like employee training, layered security controls and frequent system backups to minimize disruption.

As ransomware attacks grow more sophisticated, many in the cybersecurity industry argue for policy changes to address the threat. One critical need is better data sharing among healthcare facilities, cybersecurity experts and government agencies to track trends and respond quickly. Governments also need to classify healthcare cybersecurity as a matter of national security, allocating resources and support to help facilities improve resilience against ransomware and other cyber threats.

Addressing the growing ransomware threat

The threats to the healthcare sector provide a stark reminder of the broader risks ransomware poses to society. While healthcare providers are uniquely vulnerable, other critical infrastructure sectors are increasingly at risk. As demonstrated by the Colonial Pipeline incident, the ripple effects of ransomware can be felt across entire regions, affecting services as fundamental as fuel, water and transportation.

For cybersecurity professionals, the rise in ransomware attacks on critical services calls for a proactive approach to defense. This includes advocating for stronger industry standards, encouraging the use of robust cybersecurity tools and supporting cross-sector collaboration to prepare for and respond to attacks. The goal is clear: To minimize the risk that ransomware claims lives, either directly or through delayed access to essential services.

The post When ransomware kills: Attacks on healthcare facilities appeared first on Security Intelligence.