[BreachExchange] SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files

[Sophia Kingsbury]

https://www.databreaches.net/scoop-unitingcare-paid-hundreds-of-thousands-of-dollars-to-revil-for-decryption-key-and-deletion-of-files/

On April 25, UnitingCare Queensland (UCQ) was the victim of a ransomware
attack that impacted multiple Queensland hospitals and aged care centres.
The next day, they posted a notice on their web site informing people as to
what was happening and its impact. And on May 5, they posted a second
update where they revealed that it was REvil (Sodinokibi) threat actors who
had attacked them. That update described steps they had taken since the
incident to safely recover and restore services. They also noted:

With the assistance of leading experts and advisors, we are conducting a
thorough investigation into whether patient, client, resident or employee
information has been breached. This investigation is continuing and we will
continue to keep the people we care for updated in this regard, in addition
to employees, regulators and other stakeholders.

But their subsequent (and most recent) update of June 10 provided no update
on whether they had determined whether any patient, employee, customer, or
vendor data was exfiltrated or compromised. Nor did they disclose whether
UnitingCare paid any ransom demand.

DataBreaches.net can now report that UnitingCare has reason to believe that
patient data and personal information were compromised. And this site can
now report that UnitingCare paid REvil ransom to get a decryption key and
to get assurances that all files would be deleted.  UnitingCare did not pay
as much ransom as the threat actors originally demanded, but they did pay
hundreds of thousands of dollars.

REvil Chat Intro

“We want to inform that your company local network have been hacked and
encrypted. We have all your local network data. The Price to unlock is
$1,000,000. Now we’re keeping it a secret, but if you do not reply us
within 3 days it will be posted on our news-site. “

The following is based on a copy of ransom negotiations between REvil and
someone representing UnitingCare who claimed to be “Ryan” from IT. Whether
he really is named Ryan and is really part of IT or was a hired negotiator
is unknown to DataBreaches.net.

During the course of the negotiations, REvil provided some proof of claims
to UnitingCare that included files with patient information and personal
information, such as a list of files that contained copies of passports for
named individuals. Another file contained narratives of mandatory
reportable incidents on named patients. When UnitingCare’s negotiator asked
to see specific files referenced in the proffer of proof, REvil provided
them.

Those files should have subsequently been deleted in their entirety
following the ransom payment, yet DataBreaches.net found that those files
are still available online. Does UnitingCare know that?

When negotiations began, REvil’s negotiator/support person indicated that
they would give a 20% discount for quick payment. “Ryan” said that was
still unworkable for them and offered $195,000. Unsurprisingly, REvil
rejected it outright.

“What do you propose then?,” Ryan asked. “Please understand the
circumstances we are in. Everything is shut down, we can’t help our
patients. Everyday we are down, the worse off we are. We need to purchase
the tool quickly and in good faith, already hired a broker in the US to
assist us and sent him some funds so he can buy crypto quickly for you.”

REvil’s answer was not what Ryan likely hoped for:

“We have been administrators of your network for a long time and we know
how much you are willing to pay. Our latest offer is 700k but that’s all.
Our servers have hundreds of gigabytes of your confidential data. You must
understand the seriousness of the situation.”

Eventually, after a lot of back-and-forth negotiations, REvil agreed to
accept $300,000, but then pointed out that was for payment by Monero and
payment by BTC would tack on an extra 10% for the processor. That resulted
in more negotiations, with Ryan asking:

“Why do you ask for payment in a currency the US can’t pay ?”

“If you keep asking stupid questions, you will be banned from this chat,”
REvil replied. “Either you pay, or we publish your data in the media with
the subsequent sale, you must pass this information to your boss.”

Ryan also asked whether REvil would provide them with a copy of the files
before they deleted them. REvil refused, stating:

“We provide a complete file tree for complete confidentiality after payment
arrives at our account, the data is automatically deleted along with the
server.”  As he also reiterated that after payment, UnitingCare would
receive:

– Universal decryptor for your all network
– The complete deletion of all your files with our warranty not to use the
data for any purpose.
– 100% confidentiality of this incident and all terms of the transaction on
our part.
– Complete audit of your network to prevent similar attacks in the future

[Well, we can already see that the second and third promises were not fully
kept as DataBreaches.net found some of the files still online and was able
to find the terms of their negotiations, etc.]

Ryan pressed to get the actual files in addition to the file tree:

“We 100% would like the file tree before you delete the files. But if there
is any way we can download the files before you delete them, that would be
preffered. Is that possible at all?”

And that’s when REvil had the absolute chutzpah to respond:

“No, this violates our privacy policy.
Only file tree”

I’ll let that sink in for a minute. Not only does the support person claim
that REvil has a privacy policy, but he claims that it prevents them from
giving their victims copies of their own files.

[In preparing this story, I did try to find a Russian translation for
“chutzpah,” but like many Yiddish words or phrases, it’s hard to find an
exact equivalent.  “наглость” perhaps?]

In any event, after payment was made last month, REvil did provide
UnitingCare with what they had previously described as “Part of random
lines from the tree file.” There were more than 209,000 files listed. Many
of the filenames suggested that they contained patient information for
named patients.

Although REvil assured Ryan that all files had been deleted, the file tree
wasn’t deleted and that appears to reveal patient names and other personal
information. DataBreaches.net is providing just a small sample from the
file tree, and has redacted individuals’ names.

Does UnitingCare know the unredacted file tree is still available online?
And that the mandatory reportable incidents file is still available online?

In the U.S., this would all be a reportable breach under HIPAA, but
DataBreaches.net does not know AU law on notification requirements.

DataBreaches.net sent a number of questions to UnitingCare yesterday and
added additional questions today. As of the time of publication, no
response has been received.  But DataBreaches.net notes that UnitingCare
now claims that it has restored key systems, while not publicly revealing
that it had paid ransom to get the decryptor key.

[There are many who would disapprove of the ransom payment as it only
encourages more crime. There are also many who would understand why a
healthcare system would pay ransom and just be glad that they didn’t reveal
it so as not to encourage more crime.]

UnitingCare’s last exchange with REvil appeared to be four days ago when
Ryan reappeared and started pressing REvil to provide them with an invoice.

Ryan: Can you please provide the invoice??
REvil: We do not issue invoices
Ryan: any other method please?? Please understand I will lost my job..
Higher management is asking for it.
REvil: wait for answer.
Ryan: ok I am waiting. Thanks
Ryan: Please help me fast please it’s a humble request.. Higher management
is keep pinging me & asking for it
Ryan: It’s about my job please understand. I don’t want to lose my job. I
have my loans and debts which I have to pay. Please help me fast
Ryan: are you there???
Ryan: kindly reply me.. please understand my situation
REvil: wait for answer

That was four days ago. And no, DataBreaches.net has no idea why they would
be pressing for an invoice, but if UnitingCare responds to inquiries or
would care to explain, this post will be updated.

Post-publication, typos calling the entity UnitedCaring were corrected.
Also post-publication, this site received a reply from the  corporate
communications manager from UnitingCare that said:

Thanks for your enquiry.

Our most up to date statement regarding the cyber incident and our recovery
process is on our website and we have nothing further to add at this stage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210617/e9b6bbf1/attachment.html>