This Month in Ransomware: Hospitals and Patients Affected
Ransomware Attack Wrap-up for December 2022
In December 2022 we saw ransomware cyberattacks on many industries including healthcare, education, manufacturing, finance, technology, media, governmental, energy, and retail. As usual, attacks came in many forms including BlackCat, LockBit, Play and Fidel ransomware.
However, there’s a new ransomware named Royal, which is rebranded version of Zeon ransomware. The U.S. Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned that Royal ransomware attacks were getting more common.
The agency said that “While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.”
French Hospital Forced to Move Patients due to Ransomware
Dec. 5, 2022
Hospital Centre of Versailles in the Paris suburb of Versailles was hit by a cyberattack that rendered its computers non-functional and forced it to cancel all operations. This has reportedly resulted in the transfer of six patients from the hospital’s intensive care unit to nearby hospitals, with the condition of the patients unknown at this time.
Health minister, Francois Braun, has stated that the cyberattack has resulted in the hospital’s total reorganization, with additional staff needed for intensive care due to the lack of networking capabilities for critical machines.
“Centre hospitalier de Versailles André Mignot” by Henrysalome is licensed under CC BY-SA 3.0
Debt Collector Data Breach
Dec. 1, 2022
Lawsuits have been initiated against debt collection company, Receivables Performance Management (RPM) of Alynwood, Washington, for a data breach/ransomware combo affecting 3.7 million people in April 2021.
Multiple lawsuits in Washington state claim that the company failed to notify the affected people of the breach for over 18 months. But according to RPM’s attorney, Brian Middlebrook, “There is no verified evidence that any personal information was published, shared or misused as a result of this incident.” But the plaintiffs paint a different story saying that the data breach was followed a ransomware attack where files were made penetrable to hackers.
Fidel Ransomware is Alive and Well
Dec. 2, 2022
The Cuba ransomware, also known as Fidel, became widespread in late 2019 and again in 2022, prompting over a hundred victims to pay the ransom, totaling over $60 million. That is almost half of the $145 million it had asked for. This prompted the U.S. Department of Justice and the Federal Bureau of Investigation to issue a flash alert to help prevent further attacks.
The FBI’s latest advisory follows a flash alert from December 2021 in which the FBI revealed that the gang’s ransom payments for attacks on 49 entities were $44 million.
“Fidel” by gianluca cozzolino is licensed under CC BY-NC-ND 2.0
New Zealand Government hit by Ransomware Attack
Dec. 6, 2022
The government of New Zealand has confirmed that it has been affected by a ransomware attack on its managed service provider (MSP), Mercury IT. Mercury IT provides a range of IT, telecom, and support services to multiple organizations in New Zealand, including the health ministry, Te Whakatoo Ora, and Middlemore Hospital.
The attack is preventing access to some patient data, including approximately 14,000 records. The ministry noted that the cyberattack also affected six other regulatory authorities, including the following governmental organizations: Psychologists Board, Chiropractic Board, Podiatrists Board, the Dietitians Board, the Optometrists and Dispensing Opticians Board, and the Physiotherapy Board of New Zealand.
623K Patient Records Stolen in Hospital Cyberattack
Dec. 8, 2022
CommonSpirit Health of Chicago, IL, the second largest health system in the U.S., reported that 623,774 patients’ personal data was accessed during an October ransomware attack.
On Dec. 1, it disclosed the results of the investigation, which was referenced on the U.S. Department of Health breach portal, confirming the data exfiltration-related attack. CommonSpirit operates 140 hospitals and 1,000 care sites across 21 states, creating the potential for major disruption.
Related: NBC News explains how ransomware attacks affect the health of patients
German Hotel Chain H-Hotels Struck by Play Ransomware
Dec 11, 2022
Staff at German hotel chain H-Hotels were hit by the Play ransomware gang and could no longer access email services. As usual, Play announced on its victims blog that the ransomware and data exfiltration attack was performed, exposing data that included guest passport information.
The hotel has confirmed that an attack took place, but that no data was stolen and if it had, they would notify customers about the breach. The hotel chain did not say whether a ransom has been asked for nor paid.
Antwerp Hit by Play Ransomware
Dec. 12, 2022
The Play ransomware operation, which emerged in mid-2022, claimed responsibility for a ransomware attack in Antwerp, Belgium. Specifically, the IT company, Digipolis, was hit by a ransomware attack, which disrupted the IT, email and phone services of the city. Local media reported that the city’s Windows applications and email were no longer available.
The city added that almost all services were unavailable or significantly delayed. Play’s website post claims that 557GB of data was stolen, including personal information, passports, IDs and financial documents.
LockBit Ransomware Attack on California Agency
Dec. 12, 2022
The California Department of Finance has been targeted by a ransomware cyberattack, according to state officials. No state funds were compromised in the attack according to the Governor’s Office of Emergency Services, but they have not been able to provide any more information about the investigation. However, some news outlets are reporting that up to 76GB of data was stolen from the agency, including confidential financial documents and other sensitive information.
The attack comes after a group of Russian-affiliated hackers called LockBit claimed that the state department was one of its latest victims. LockBit has been threatening to release data if unspecified demands are not met by December 24. That date has come and gone, but there’s been no update from the California Department of Finance.
BlackCat Ransomware Disrupts Energy Supplier
Dec. 16, 2022
The BlackCat ransomware group is claiming responsibility for the attack on Colombia’s largest public water, electricity, and gas provider, Empresas Públicas de Medellín (EPM) .
The ransomware attack took EPM’s services offline and disrupted the company’s operations, leaving more than 4,000 employees at home with no access to their IT infrastructure. BleepingComputer is reporting that the BlackCat ransomware group was responsible for the hack, claiming to have accessed business data during the attack.
Canadian Supermarket Chain Loses up to $25 Million in Cyberattack
Dec. 16, 2022
Canadian supermarket retailer, Empire Company, stated in its quarterly results that it may lose up to C$25 million for costs not covered by cyber insurance from the cyberattack it suffered on November 4, 2022.
“On November 4, Empire experienced some IT system issues related to a cybersecurity event. Based on an initial assessment, management estimates the financial impact of the cybersecurity event on the fiscal 2023 annual net earnings will be approximately $25 million, net of insurance recoveries.”
This attack shows that even with cyber insurance, an organization can sustain substantial losses due to a malware attack. So, cybersecurity best practices like inspecting SSL traffic for malicious content, back ups, hardening endpoints, keeping systems patched, and Zero Trust training are imperative.
Do you know what the first documented ransomware attack was?
It employed social engineering too. Way back in 1989 the AIDS Trojan Horse ransomware was engineered by evolutionary biologist Dr. Joseph Popp, loaded onto floppy discs, and mailed to 20,000 attendees of that year’s World Health Organization’s AIDS conference.
The disc was labeled “AIDS Information, Introductory Diskette” and included a label instructing how to load it into the A drive and install. The malware then counted down to the 90th system reboot, which is when it struck, hiding directories and encrypting the names of all files on the C drive. The user then saw a pop-up that informed them they needed to “renew the license,” sending $189 to a post office box in Panama.
Despite the incredible logistics required to pull off the hack, a judge determined Popp wasn’t fit to stand trial. He took to wearing a cardboard box on his head and other odd behavior, which may have contributed to the court’s position.
But some legal scholars have questioned whether what Popp did was prosecutable blackmail since he added the following terms onto a leaflet that accompanied the discs stating:
“These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement: your conscience may haunt you for the rest of your life; you will owe compensation and possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”
Social Engineering Produces Almost 50 Percent of Data Breaches
Dec 19, 2022
A report by data protection firm, Acronis, found phishing/malicious email threats were up 60 percent in 2022 and projected the average data breach cost to hit $5 million in 2023. Its research team observed a rise in social engineering attacks in the last four months of 2022. Credential theft, which enabled attackers to launch ransomware campaigns, were responsible for nearly 50 percent of the breaches reported in the initial six months of 2022. Apparently, we all need a refresher course on Zero Trust security.
College Students Received Hive Ransomware Demands
Dec 20, 2022
In what appears to be a first, news media reported that ransomware hackers contacted students at a university they attacked. It’s unclear from reports whether the hackers were asking for money or simply pressuring students in hopes they would pressure university administration to pay Hive ransomware group’s ransom demands.
The email, received by Knox College students in Illinois on Dec 12. stated,
“We have compromised your collage networks. The data we have includes your personal information, medical records, psychological assessments, and many other sensitive data. Additionally, all of your SSN and medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want.”
Third Fasted Growing Media Company Held for Ransom
Dec 21, 2022
The Guardian newspaper reported that it had experienced a serious IT incident believed to be ransomware attack, but at the time of this writing, little else is known other than what is being self-reported by The Guardian:
- Management stated that online publishing has not been affected and that it is confident a morning newspaper can be printed without issue.
- The Guardian Media Group chief executive, Anna Bateson, and the editor-in-chief, Katharine Viner, sent communications to employees asking them to work from home for now, something with which the staff became familiar during pandemic.
Using Similarweb data, the UK’s Press Gazette ranked The Guardian the fourth fastest growing news site in the world at 387.6 million visits in November 2022, up 13 percent from the previous month.
The Guardian isn’t alone. News outlets worldwide have been targeted consistently by cybercriminals and nation-states, with quite a few examples like:
- The French newspaper L’Équipe was hit by ransomware in March 2022. Threat actors infiltrated the servers of the sports daily for several weeks, demanding a ransom so that newspaper employees could regain access to their online applications.
- Germany’s Stimme Mediengruppe media group had a bout with ransomware in October 2022 in what Uwe Ralf Heer, editor-in-chief of Heilbronn Stimme, described as an attack by a “well-known cybercriminal group,” that left their systems encrypted. The attack took the printed newspaper offline for four days.
“Window of the building housing The Guardian newspaper, London England” by Bryantbob is licensed under CC BY-SA 3.0
Clop Ransomware Changing Tactics to Maximize Ransom Payments
Dec 22, 2022
Clop, a ransomware group involved in the Accellion data breach. Clop targets medical organizations with yearly income surpassing $10 million, but it has also struck smaller clinics like dentists’ and doctors’ offices. It altered its approach to infect files camouflaged as medical images and documents after experiencing difficulty finding people willing to pay the ransom.
During COVID, the group shifted to target telehealth, aiming to steal medical data, pics, and even construct fake appointment requests and medical records to deploy malware.
Hold Security Founder Alex Holden warned SCMedia that “They’re basically registered as the patient themselves. They are taking medical records from the victim, and no one is looking … They don’t have to fib because it’s telehealth, and it’s believable.”
For example, when referring a telehealth patient for imaging, Clop can get their medical record and insurance details, then send a malware-filled file disguised as the results to the physician. This would then infect the practice’s system.
Cyber Insurance Soon to be a Thing of the Past?
Dec. 26, 2022
Mario Greco, the CEO of one of Europe’s largest insurers, Zurich Insurance, spoke with the Financial Times and stated that the insurance industry has a limit to the amount of losses it can cover from the ever increasing cyberattacks.
Insurance executives have recently expressed concern about risks such as pandemics and climate change, and their ability to provide coverage. For two years, natural disaster claims have exceeded $100 billion. But Greco told the FT that cyberattacks are the risk to watch in 2023 and beyond.
“What will become uninsurable is going to be cyber… this is not just data … this is about civilisation. These people can severely disrupt our lives.”
– Mario Greco, CEO of Zurich insurance, Source: Financial Times
Related Resources
- Thunder® SSL Insight: TLS/SSL Decryption for Real-time Visibility into Encrypted Traffic (Product Page)
- SSL/TLS Inspection (Solution Page)
- Ransomware and Resiliency. To Trust or Not Trust? (Webinar)
- Combating the Surge of Modern Malware and Ransomware (eBook)
- 5 Steps to Enhance Your Enterprise Security with High Performance SSL/TLS Decryption (eBook)