NetWalker, REvil, SunCrypt, and Pysa, or Mespinoza, ransomware hacking groups posted data allegedly stolen from five healthcare entities in recent weeks to blackmail them into paying the ransom.
September 17, 2020 - The hacking groups behind Pysa, or Mespinoza, SunCrypt, REvil, and NetWalker ransomware variants posted data allegedly stolen from five separate healthcare entities on the dark web for sale, in an effort to force the organizations into paying their ransom demands.
Double extortion – where hackers gain a foothold onto a network, proliferate to connected, vulnerable devices, and exfiltrate sensitive data before launching a ransomware payload – was first made popular by the Maze hacking group.
The hackers notoriously targeted healthcare providers, and other hacking groups soon followed the trend: with NetWalker and REvil actors quickly taking advantage of the profitable technique. The FBI has warned NetWalker has continued to target healthcare entities throughout the COVID-19 pandemic.
In one of the more prolific recent attacks, the University of California San Fransisco paid NetWalker hackers $1.14 million to decrypt the data and restore access to the impacted servers, after they infected the network of its School of Medicine.
In recent weeks, the blogs of these threat actors have posted “proofs” of data stolen from Assured Imaging, University Hospital New Jersey, National Western Life, The College of Nurses of Ontario, and Nonin Medical, a Minnesota-based designer and manufacturer of noninvasive pulse oximeters, regional oximeters, and capnographs for patient monitoring.
Pysa hackers claim to have stolen data from Assured Imaging, which recently began notifying 244,813 patients that their data was “potentially” exfiltrated after a ransomware attack. The notice did not mention the data being posted on Pysa’s blog, after hackers encrypted their electronic medical system in May.
Assured Imaging’s investigation determined the hackers had access to the EMR from May 15 to 17, which the provider acknowledged resulted in the theft of some patient data. Further, the hackers could have potentially accessed all patient data stored in its systems during the attack.
According to the proofs shared with HealthITSecurity.com, the hackers posted a note with the data sample on September 13, which stated “we already know everything about [these patients] and many others who used the services of this company.”
In response to Assured Imaging’s breach notification, several patients filed a class-action lawsuit against the provider with the US District Court of Arizona. The lawsuit alleges the patients “suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”
Further, the patients claim the provider maintained patient information in a reckless manner and that the data was maintained on Assured Imaging’s network “in a condition vulnerable to cyberattacks… that cause actual disruption to [patients’ medical care and treatment.”
For Nonin Medical, Pysa or Mespinoza hackers claim to have stolen some of their data. Shared screenshots show the hackers allegedly stole tax files, budget calculations, formations, current settlements, payment orders, and other data from the manufacturer, which totaled about 1.55 GB of files “that will not cease to be relevant at any time.”
SunCrypt hackers claim to have allegedly stolen data from the University Hospital New Jersey and posted it on their blog. The data has since been removed, but in screenshots shared with HealthITSecurity.com the compromised information is highly sensitive in nature, including the status of sexually transmitted diseases for some patients.
The blog shows the hackers claim to have stolen 240 GB of data with folders labeled appointments, archives, notice of claims, agreements, litigation files, employment and labor, and credentialing and discipling of physicians, among others. There are also images of scanned patient IDs and signatures.
In late August, REvil hackers took the credit for a ransomware attack and the exfiltration of data from insurer National Western Life. Cyble security researchers posted further screenshots of the data, which shows scans of patient passports.
The dark web posting contains two massive zip files and a message that claims the hackers were contacted by a representative from a competitor company to compromise National Western Life's network.
“They offered us a good amount to satisfy our work in the National Western Life Infrastructure,” REvil hackers boasted.
They further asked for payment from any clients found in the data posted by the hackers. The attackers plan to slowly release the data they allegedly stole to their blog in 50 GB waves, in order for the company to “fall for a long time.” Security researchers also posted several indicators of compromise on Twitter.
Lastly, NetWalker claims to have attacked and stolen data from the College of Nurses of Ontario. The screenshots shared with the site show files labeled corporate planning, human resources, finance and administration, appeals, cashflow, chief administrative officer updates, and dozens more files.
LOOKING AHEAD: THE HARM OF RANSOMWARE PAYMENTS
HealthITSecurity.com reached out to EmsiSoft Threat Analyst Brett Callow, to understand how the healthcare sector can better defend and respond against prevalent ransomware threats. The attacks continue to remain problematic given the disruption they cause to critical services.
“Because so many groups now routinely, these incidents are very often data breaches which expose victim organizations to the possibility of class action lawsuits, regulatory penalties and a myriad of other potential problems,” Callow said. “And, of course, these incidents are bad news for patients too, as it’s typically their medical records and personal information that is exposed and posted online.”
“The only way to stop ransomware is to make it unprofitable, and that means organizations must stop paying ransoms - ideally, because they’ve bolstered their defenses and avoid being hit,” he added. “Unfortunately, there is no evidence that is happening. The bottom line: for as long as ransoms continue to be paid, organizations will remain in the crosshairs.”
This can be evidenced in the continued increase of the average ransom demand in recent years, as “criminals are more motivated and better resourced than ever before.”
Healthcare providers should review crucial insights from Microsoft that focus on responding to and preventing human-operated ransomware attacks and the need to invest in email security (and not paying the ransom). The Office for Civil Rights also shared targeted ransomware mitigation and response guidance.