DICT restoring PhilHealth systems affected by ransomware

OFFLINE. The Philippine Health Insurance Corporation branch in Mother Ignacia Avenue, Quezon City is still on manual mode Tuesday (Sept. 26, 2023), four days after the agency’s system was attacked by the Medusa ransomware. The state health insurer is expecting to open some of its online services by Wednesday (Sept. 27) as it recovers from the cybersecurity attack. (PNA photo by Joan Bondoc)

MANILA – The Department of Information and Communications Technology (DICT) said it is restoring PhilHealth’s systems affected by a ransomware attack, as it condemned the attempt to illegally access member information.

“Efforts to restore the functionality of PhilHealth’s DNS server are underway. An extensive checklist has been prepared by the DICT to benchmark PhilHealth’s readiness to get their systems online,” the DICT said in a statement Thursday.

The department said they would continue to investigate and monitor the acquired logs from PhilHealth’s affected systems and fully secure and ensure the stability of its systems.

PhilHealth has been on manual operation since Sept. 22 after the hacking of its database through the Medusa ransomware.

As of Sept. 25, PhilHealth’s critical web services have only been accessible through their IP addresses and ongoing comprehensive security scanning, the DICT said.

PhilHealth Senior Vice President for Health Finance Policy, Dr. Israel Francis Pargas, earlier said about 72 workstations were infected and the affected systems include the e-claims system, member portal system, and collection system.

He said no personal and medical information of PhilHealth members has been compromised.

Upon learning of the breach, the DICT implemented critical security measures, including the disconnection of workstations from the network, prompt coordination with PhilHealth to gauge the extent of the attack, and collection of relevant logs for thorough analysis.

Earlier, the DICT said the Medusa ransomware attacks began in 2019.

International syndicates usually acquire data from websites and encrypt them. For the data to be decrypted and used again, these groups demand a ransom payment from owners of compromised device/s.

In an advisory, the DICT said the Medusa ransomware is distributed by “exploiting publicly exposed Remote Desktop Protocol servers either through brute force attacks, phishing campaigns, or exploitation of existing vulnerabilities.”

“Once inside the network, the Medusa ransomware will then move laterally on the network to infect other machines via Server Message Block or by exploiting the Windows Management Instrumentation,” the DICT said.

The agency advised government agencies and the public to refer to the technical advisory through the link https://dict.gov.ph/wp-content/uploads/2023/09/DICT-Medusa-Advisory.pdf for further details about the Medusa ransomware and the measures that must be implemented to prevent it from accessing systems and devices.