[BreachExchange] Ransomware Hacking Groups Post Data from 5 Healthcare Entities

[Destry Winant]

https://healthitsecurity.com/news/ransomware-hacking-groups-post-data-from-5-healthcare-entities

The hacking groups behind Pysa or Mespinoza, SunCrypt, REvil, and
NetWalker ransomware variants posted data allegedly stolen from five
separate healthcare entities on the dark web for sale, in an effort to
force the organizations into paying their ransom demands.

Double extortion – where hackers gain a foothold onto a network,
proliferate to connected, vulnerable devices, and exfiltrate sensitive
data before launching a ransomware payload – was first made popular by
the Maze hacking group.

The hackers notoriously targeted healthcare providers, and other
hacking groups soon followed the trend: with NetWalker and REvil
actors quickly taking advantage of the profitable technique. The FBI
has warned NetWalker has continued to target healthcare entities
throughout the COVID-19 pandemic.

In one of the more prolific recent attacks, the University of
California San Fransisco paid NetWalker hackers $1.14 million to
decrypt the data and restore access to the impacted servers, after
they infected the network of its School of Medicine.

In recent weeks, the blogs of these threat actors have posted “proofs”
of data stolen from Assured Imaging, University Hospital New Jersey,
National Western Life, The College of Nurses of Ontario, and Nonin
Medical, a Minnesota-based designer and manufacturer of noninvasive
pulse oximeters, regional oximeters, and capnographs for patient
monitoring.

Pysa hackers claim to have stolen data from Assured Imaging, which
recently began notifying 244,813 patients that their data was
“potentially” exfiltrated after a ransomware attack. The notice did
not mention the data being posted on Pysa’s blog, after hackers
encrypted their electronic medical system in May.

Assured Imaging’s investigation determined the hackers had access to
the EMR from May 15 to 17, which the provider acknowledged resulted in
the theft of some patient data. Further, the hackers could have
potentially accessed all patient data stored in its systems during the
attack.

According to the proofs shared with HealthITSecurity.com, the hackers
posted a note with the data sample on September 13, which stated “we
already know everything about [these patients] and many others who
used the services of this company.”

In response to Assured Imaging’s breach notification, several patients
filed a class-action lawsuit against the provider with the US District
Court of Arizona. The lawsuit alleges the patients “suffered
ascertainable losses in the form of disruption of medical services,
out-of-pocket expenses and the value of their time reasonably incurred
to remedy or mitigate the effects of the attack.”

Further, the patients claim the provider maintained patient
information in a reckless manner and that the data was maintained on
Assured Imaging’s network “in a condition vulnerable to cyberattacks…
that cause actual disruption to [patients’ medical care and
treatment.”

For Nonin Medical, Pysa or Mespinoza hackers claim to have stolen some
of their data. Shared screenshots show the hackers allegedly stole tax
files, budget calculations, formations, current settlements, payment
orders, and other data from the manufacturer, which totaled about 1.55
GB of files “that will not cease to be relevant at any time.”

SunCrypt hackers claim to have allegedly stolen data from the
University Hospital New Jersey and posted it on their blog. The data
has since been removed, but in screenshots shared with
HealthITSecurity.com the compromised information is highly sensitive
in nature, including the status of sexually transmitted diseases for
some patients.

The blog shows the hackers claim to have stolen 240 GB of data with
folders labeled appointments, archives, notice of claims, agreements,
litigation files, employment and labor, and credentialing and
discipling of physicians, among others. There are also images of
scanned patient IDs and signatures.

In late August, REvil hackers took the credit for a ransomware attack
and the exfiltration of data from insurer National Western Life. Cyble
security researchers posted further screenshots of the data, which
shows scans of patient passports.

The dark web posting contains two massive zip files and a message that
claims the hackers were contacted by a representative from a
competitor company to compromise National Western Life's network.

“They offered us a good amount to satisfy our work in the National
Western Life Infrastructure,” REvil hackers boasted.

They further asked for payment from any clients found in the data
posted by the hackers. The attackers plan to slowly release the data
they allegedly stole to their blog in 50 GB waves, in order for the
company to “fall for a long time.” Security researchers also posted
several indicators of compromise on Twitter.

Lastly, NetWalker claims to have attacked and stolen data from the
College of Nurses of Ontario. The screenshots shared with the site
show files labeled corporate planning, human resources, finance and
administration, appeals, cashflow, chief administrative officer
updates, and dozens more files.

LOOKING AHEAD: THE HARM OF RANSOMWARE PAYMENTS

HealthITSecurity.com reached out to EmsiSoft Threat Analyst Brett
Callow, to understand how the healthcare sector can better defend and
respond against prevalent ransomware threats. The attacks continue to
remain problematic given the disruption they cause to critical
services.

“Because so many groups now routinely, these incidents are very often
data breaches which expose victim organizations to the possibility of
class action lawsuits, regulatory penalties and a myriad of other
potential problems,” Callow said. “And, of course, these incidents are
bad news for patients too, as it’s typically their medical records and
personal information that is exposed and posted online.”

“The only way to stop ransomware is to make it unprofitable, and that
means organizations must stop paying ransoms - ideally, because
they’ve bolstered their defenses and avoid being hit,” he added.
“Unfortunately, there is no evidence that is happening. The bottom
line: for as long as ransoms continue to be paid, organizations will
remain in the crosshairs.”

This can be evidenced in the continued increase of the average ransom
demand in recent years, as “criminals are more motivated and better
resourced than ever before.”

Healthcare providers should review crucial insights from Microsoft
that focus on responding to and preventing human-operated ransomware
attacks and the need to invest in email security (and not paying the
ransom). The Office for Civil Rights also shared targeted ransomware
mitigation and response guidance.