Hospitals in US, France Dealing With Cyber ExtortionistsTexas Hospital Still Being Pressured, While French Hospital Responds to Ransomware
A Texas-based hospital is apparently still contending with pressure to pay an extortion group that claims to have stolen patient data months ago, while a Paris-area medical center reportedly responds to a weekend attack and demands to pay a $10 million ransom.
While the details of the incidents differ, together they spotlight the ongoing ransom threats that healthcare sector entities globally are facing and the need for to stay proactive in their defenses and response plans.
"Organizations should be prepared to spend some time enriching their business continuity and disaster recovery programs," says Will Clark, a virtual CISO and principal consultant at privacy and security consultancy Clearwater.
"After all, being prepared for exactly this type of event is likely the best response."
Methodist McKinney/Karakurt Saga
McKinney, Texas-based Methodist McKinney Hospital in an statement issued on July 29 and updated on Aug. 3 about its incident says that it became aware on July 5 "of unusual activity on certain systems."
Methodist McKinney says its investigation confirmed that an unauthorized actor accessed certain systems and "copied" certain files containing patient information between May 20 and July 7 (see: Vendor Ransomware Breach Affected 942,000 Patients)
Affected information includes name, address, Social Security number, date of birth, medical history information, medical diagnosis information, treatment information, medical record number, and health insurance information, Methodist McKinney says.
However, in a "press release" posted last Friday on the darkweb, extortion group Karakurt - which takes credit for the attack - blasts Methodist McKinney for refusing to negotiate.
A few days earlier, Karakurt had threatened on its dark web site to publish more than 367 GB of data stolen from the healthcare provider.
In its attempt to pressure Methodist McKinney Hospital, Karakurt alleges that the entity "found out about the data breaches much earlier" than the hospital suggests in its public statement, and that on July 5 it entered into a dialogue with the group, "thereby confirming the fact of data leak."
"During this dialogue, within two weeks, we provided McKinney Hospital with all the confirmations and the file listing - this means that by July 21, - when the hospital interrupted the dialogue - it was already clear to Methodist McKinney Hospital what exact data we have," Karakurt alleges. "They had enough time to notify their patient about the massive data breach before this announcement."
Methodist McKinney did not immediately respond to Information Security Media Group's request for additional details about the incident, including on Karakurt's claims of data theft involving the attack.
Karakurt is an "exfiltration-only" group that does not encrypt data, which been active since the middle of last year, says Brett Callow, a threat analyst at security firm Emsisoft. Karakurt may have some personnel overlap with the now defunct Conti operation, he adds.
"According to Karakurt, Methodist McKinney did not pay the demand - and that was absolutely the right decision," Callow says.
"It makes absolutely no sense for any organization to ever pay in this situation. The data breach cannot be undone and all they’d get for their money is a pinkie promise from an untrustworthy bad faith actor that the data will be destroyed," he says.
"Groups don’t always abide by their pinkie promises - which isn’t at all surprising. Why would cybercriminals destroy data that they may be able to monetize at a later date?"
The U.S. Cybersecurity and Infrastructure Security Agency in an alert about Karakurt issued in June says Karakurt actors typically provide victim with screenshots or copies of stolen file directories as proof of stolen data as part of their extortion demands.
"Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate," CISA says.
CHSF Hospital Centre Attack
The 1,000-bed CHSF Hospital Centre in Corbeil-Essonnes, which is located southeast of Paris, has been dealing with a ransomware attack that began late Saturday night, according to local news site RFI.
The attack is disrupting the hospital's IT, medical imaging and other systems, with hackers demanding a multi-million-dollar ransom, RFI reports.
"Hackers have reportedly issued a demand of $10 million dollars - in English - for the ransomware attack to be stopped," the news site says, adding that French law enforcement and security experts are investigating the incident and have identified the type of malware used in the assault.
The hospital says the attack has rendered inaccessible "all the hospital's business software, storage systems - particularly medical imaging - and the information system relating to patient admissions," according to RFI.
CHSF Hospital Centre media representatives did not immediately respond to an ISMG request for comment.
That includes making sure all computers, servers, printers, and devices are patched and operating at their newest, safest level by routinely running vulnerability scans and resolving the issues, he says.
"Additionally, to protect against data theft/exfiltration, it’s good to have all data encrypted - both when at rest and in transit - so that if stolen, the data are useless to hackers," he says. "Meaningful segregation of networks and systems can help contain the damage as well, by making logical sections of the network less vulnerable to penetration and exploitation."
Also, critical for organization is promoting a security culture that is proactive - and not just reactive - to addressing threats.
"This would include having a well-developed risk analysis program in effect, where careful review and thoughtful response to reasonably anticipated threat events is considered and documented annually," he says.
Extended and coordinated threat detection and response - XDR technology - can also prove helpful in responding to a threat, speeding up detection and remediating more quickly, he says.
"Threat actors rely on our relative lack of awareness in our own systems and networks to cart off data while we’re looking the other way. Coordinated network awareness, or consciousness if you will, can be a powerful way to respond to these types of advanced threats."