Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

AvosLocker Claims Data Theft From Another Healthcare Entity

Ransomware Group Leaks Alleged Sample of Stolen Cancer Patient Info
AvosLocker Claims Data Theft From Another Healthcare Entity

In its most recent assault against a healthcare entity, ransomware-as-a-service operator AvosLocker claims to be behind an attack allegedly involving data theft from Texas-based CHRISTUS Health, which operates hundreds of healthcare facilities in the U.S., Mexico and South America.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

A sample of data allegedly stolen from CHRISTUS and posted on the AvosLocker dark web leak site last week includes cancer patient registry information - such as names, dates of birth, Social Security numbers, diagnoses and other medical information - related to cases planned for discussion at an April cancer tumor conference.

CHRISTUS Health, a nonprofit Catholic health system headquartered in Irving, Texas, operates more than 600 healthcare facilities in four U.S. states - Texas, Louisiana, New Mexico and Arkansas - plus facilities in Mexico, Chile and Columbia, according to the organization.

In a statement provided to Information Security Media Group, CHRISTUS Health says it recently learned of "unauthorized activity" on its computer network.

"This was quickly identified and blocked by CHRISTUS information security. At this time, it appears that the incident is limited and didn’t impact any of CHRISTUS Health’s patient care or clinical operations. We are working with industry experts to investigate and address the issue. CHRISTUS values and is committed to the privacy and security of all those we are privileged to serve," the statement says.

CHRISTUS Health did not immediately respond to ISMG's inquiries about whether the incident involved data exfiltration, ransomware or an extortion demand by AvosLocker-affiliated threat actors.

Other Incidents

The post last week by AvosLocker on its dark web data leak site related to CHRISTUS Health is the latest incident allegedly involving an attack by the RaaS group on a healthcare sector entity.

In April, the group leaked data allegedly stolen in an attack against Michigan-based McKenzie Health System, according to data breach blog

On Wednesday, McKenzie Health System reported to the U.S. Department of Health and Human Services a hacking/IT incident involving a network server and affecting more than 25,300 individuals, according to HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

In a breach notification statement posted on its website last week, McKenzie Health System says that on March 11 it discovered a security incident that disrupted the operations of some of its IT systems.

McKenzie Health says its investigation into the incident found that an unauthorized party had accessed its systems and removed some files.

"On April 22, through our ongoing analysis of the files involved in the incident, we determined that the files contained information belonging to some McKenzie Health System patients." That information includes names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information, McKenzie says

The breach notification statement did not identify AvosLocker or any other cybercriminal group potentially linked to the incident. It also did not immediately respond to ISMG's request for comment and details about the incident.

Other earlier healthcare sector victims of AvosLocker includes Moorfields Eye Hospital UAE, which is a branch of the British National Health Service's Moorfields Eye Hospital Foundation Trust, from which the group claimed to have stolen more than 60GB of data in August 2021 (see: Ransomware Alert: AvosLocker Hits Critical Infrastructure).

Government Warnings

AvosLeak was also the subject of a joint advisory in March from the FBI, the U.S. Treasury Department and its Financial Crimes Enforcement Network bureau - FinCEN - warning that the RaaS affiliate-based group has targeted victims across multiple critical infrastructure sectors in the U.S., including financial services, critical manufacturing and government.

"AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets," the advisory says. "As a result, AvosLocker indicators of compromise vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion."

"Unfortunately, providers that have had data exfiltrated are without any good option. They've had a data breach and, whether they pay or not, that cannot be undone."
—Brett Callow, Emsisoft

AvosLocker ransomware encrypts files on a victim's server and renames them with the ".avos" extension, the advisory says. "Depending upon the affiliate, payments in Monero are preferred; however, they accept Bitcoin for a 10-25% premium."

AvosLocker victims sometimes receive phone calls from an AvosLocker representative, and in some cases, AvosLocker actors will threaten and execute distributed denial-of-service attacks during negotiations, the advisory says.

Expanded Capabilities

Since the AvosLocker RaaS was initially launched in July 2021, developers of the program have expanded their capabilities quickly - offering new services that include cryptocurrency mixing and a DDoS service to their affiliates, updates to existing ransomware and the introduction of new tools, says Adam Meyers, head of intelligence at security firm CrowdStrike.

"This, in turn, will likely attract the attention of criminal adversaries and grow the program. Additionally, AvosLocker has a relatively low barrier of entry compared with other RaaS programs, which can draw in new cybercriminals to the program," he says.

Meyers says CrowdStrike Intelligence expects the AvosLocker program to grow in the coming months and recommends that all healthcare organizations secure critical areas of risk, including endpoints and cloud workloads, identity and data. "Organizations should adopt solutions that protect user identity authentication through a Zero Trust security framework and have extended detection and response capabilities to correlate data across multiple IT environments."

AvosLocker is one of a number of ransomware operations that exfiltrate data and use DDoS and threatening phones to attempt to extort payment, says Brett Callow, a threat analyst at security firm Emsisoft.

"Unfortunately, providers that have had data exfiltrated are without any good option. They've had a data breach and, whether they pay or not, that cannot be undone."

Multiple Sectors Targeted

The recent U.S. government joint advisory notes that AvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems.

"AvosLocker ransomware samples contained optional command line arguments that could be supplied by an attacker to enable/disable certain features," the advisory says.

Multiple victims have reported on-premises Microsoft Exchange Server vulnerabilities as the likely intrusion vector, the warning says.

"Some victims pointed to specific vulnerabilities: including the Proxy Shell vulnerabilities associated to CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, in addition to CVE-2021-26855. Intrusion vectors are likely dependent on the skillsets of the AvosLocker affiliate who infiltrated the victim's network," the document says.

An April analysis report by security firm Trend Micro said that from Dec. 1, 2021, to Feb. 28, 2022, AvosLocker's data leak site listed 15 entities in an assortment of industries - including apparel, construction, government, transportation, education, energy and healthcare - that had been hit by the group.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.