NHLS logo

South Africa’s NHLS is recovering from a ransomware attack quickly, it just doesn’t feel that way

It’s estimated that the NHLS handles diagnostic tests for about 80% of South Africa’s population. Ransomware groups don’t care.

On June 22, 2024, the South African National Health Laboratory Service (NHLS) was hit by a ransomware attack, which compromised its systems and infrastructure. The attack was claimed by the BlackSuit ransomware group, and the NHLS has stated it will not communicate with its assailants, and won’t pay a ransom.

The NHLS runs 265 laboratories across South Africa that provide testing services for public healthcare facilities in the country’s nine provinces. Estimates say that NHLS handles the diagnostic tests for about 80% of South Africa’s population.

On July 3, 2024 the organization said it expects to have restored functionality by mid-July. In fact, it says its testing facility is fully operational, but getting the test results to the clinics that need them is its biggest challenge at the moment.

Although the wait for systems to be restored is likely to feel like a very long time for people who are waiting on results, three or four weeks is a swift recovery. As we have reported in the past, the average downtime caused by ransomware attacks is 21 days, and on average it takes organizations 287 days to fully recover.

So, it’s not like the NHLS is doing a bad job or dragging its feet. It’s the impact of the delays that’s unbearable. The state-owned diagnostic pathology service has since distributed a critical test list to all health facilities to limit the volume of test requests. It has also had to come up with alternatives to make tuberculosis (TB) and HIV viral load historical test results available to clinicians.

Now, all urgent test results are delivered over the phone to health officials, along with all the possible errors this can cause.

NHLS CEO Koleka Mlisana stated:

The breach has endangered the safety and well-being of millions of public health patients.

Recent research backs up this statement—ransomware attacks on healthcare carry serious consequences and cause an increased mortality rate in hospials.

Another thing we’ve learned over time while dealing with ransomware is that the complexity of the environment has a negative impact on the recovery time. Technical debt like legacy systems, software that is behind on updates, and network peripherals that are passed their end-of-life (EOL) date not only create weak spots in defenses, but they also increase the time it takes to fully recover.

We first discussed BlackSuit in our monthly Ransomware review of June 2023. At the time, we noted that its ransomware is strikingly similar to Royal, sharing 98% of its code. The group has a history of attacking critical industries like healthcare, government, and education.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.