[BreachExchange] Aged care provider Regis hit by ransomware attack

[Destry Winant]

https://www.afr.com/technology/aged-care-provider-regis-hit-by-ransomware-hack-20200803-p55hxu

Health and aged care providers have been warned they are vulnerable to
a sharp increase in cyber attacks after an unidentified offshore
adversary published sensitive documents related to an Adelaide-based
aged care facility run by Regis Healthcare.

Documents with details of individual residents' care and accommodation
agreements, employee appraisals and passwords relating to Regis'
eastern suburbs Adelaide home in Burnside were posted to a public
website and have been seen by The Australian Financial Review.

Regis Healthcare, which operates this aged care home in Adelaide's
Burnside, has been hit by an apparent ransomware attack.

The attack prompted the federal government's Australian Cyber Security
Centre (ACSC) to warn of an increasing threat to aged care and
hospital facilities which are seen as "lucrative targets for
ransomware attacks".

Regis, which cares for more than 6700 residents across 63 facilities,
joins the swelling ranks of major Australian companies that have
fallen victim to ransomware attacks. The attack also comes after Prime
Minister Scott Morrison sounded the alarm on a surge in cyber attacks
in June, which were believed to originate in China.

The aged care provider said in a statement to the ASX on Monday it had
been targeted in an attack, but it had not affected delivery of
resident care or services and was not materially affecting Regis
Healthcare's day-to-day operations.

REGRegis Healthcare

"In addition to attempting to disrupt the company’s operations, the
party also copied some data from the company’s IT system and released
certain personal data publicly," Regis said.

"The company is contacting parties whose personal data has been
publicly released. The company has also reported the incident to the
Office of the Australian Information Commissioner, the Australian
Cyber Security Centre and other regulatory bodies."

Regis declined to comment further.

Already this year logistics company Toll, steelmaker BlueScope and
beverage company Lion have become victims of ransomware attacks. Both
Toll and Lion were hit twice, with the attacks taking their IT systems
offline and causing the businesses to beef up their defences.

Implement back-up system

In contrast, Regis was able to implement its back-up business
continuity systems and its day-to-day operations were able to
continue.

Regis operates aged care homes in Victoria, but has not suffered
COVID-19 infections among residents, unlike listed rival Estia Health
or unlisted competitor Bupa.

Regis shares slipped 3.4 per cent to $1.28 on Monday.

Ransomware is designed to lock or encrypt an organisation’s valuable
information, so that it can no longer be used.

The Maze ransomware was first discovered by Malwarebytes security
researcher Jerome Segura in May 2019 and has evolved so that cyber
criminals steal a company's data while they deploy the ransomware,
then threaten to publish the data if the victim decides not to pay. It
is designed to give the criminal additional leverage over the company
and try and force them to pay.

Last week the Office of the Australian Information Commissioner
released its notifiable data breach report for the first six months of
the year, which indicated a 3 per cent dip in the number of breaches
to 518.

Malicious attacks remain the leading cause of data breaches and
account for 61 per cent of all notifications, while human error is the
other cause.


The majority of data breaches only affected a handful of people, but
there were three attacks that were reported and involved the data of
more than 1 million people.

According to the report, the healthcare sector is the most vulnerable
to attacks, making up 22 per cent (115) of all breaches.

While the OAIC report indicated ransomware only made up 15 per cent of
breaches, Ankura senior managing director Shannon Sedgwick said the
OAIC dataset was not comprehensive because not all breaches were
reported.

"Other published reports of malicious activity since lockdown have
reported up to a 75 per cent increase in the use of ransomware," he
said. "The ACSC has an entire webpage dedicated to COVID-19 cyber
security advice due to the rise in COVID-themed malicious activity.

"It is of no surprise that healthcare recorded the most data breaches.
They are a crucial element of the response to COVID-19, and it is de
rigueur for cyber criminals to exploit organisations during disasters
and challenging periods."

The ACSC said, in a statement dated Sunday, there had been a
"significant" increase of cyber attacks on aged and healthcare
facilities using the Maze ransomware.

"This is because of the sensitive personal and medical information
they hold, and how critical this information is to maintaining
operations and patient care," the ACSC said. "A significant ransomware
attack against a hospital or aged care facility would have a major
impact."

The ACSC said organisations should not pay the ransom demanded.

"There is no guarantee paying the ransom will fix your devices, and it
could make you vulnerable to further attacks," it said.

CISO Lens managing director James Turner said ransomware attacks were
becoming more sophisticated.

"When ransomware was more about simply compromising the availability
of a system, enterprises responded accordingly. The more mature
organisations are now quite proficient at both prevention and
restoration. However, the criminals have come back with a longer
ladder, which is data exfiltration and blackmail," he said.

"There are two absolutely critical lessons for organisations out of
the emergence of ransomware and blackmail. The first is that
prevention is orders of magnitude cheaper than the cure. The second
lesson is that all big companies have secrets their executives don't
want revealed."