Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Italian Healthcare Group Targeted in Data-Leaking ShakedownRagnar Locker Apparently Still Trying to Extort Victim; Says No Files Encrypted
Azienda Ospedaliera di Alessandria is one of the oldest primary healthcare systems in the northwestern Italian city of Alessandria. According to the criminals who run the Ragnar Locker ransomware operation, it's also one of their latest victims.
See Also: Cyberwarfare in the Russia-Ukraine War
The criminal syndicate on Wednesday said that as part of its attack, it stole "clients' personal information, medical cards, financial reports, departments reports" and other types of information. It has already leaked 37GB of stolen data, claiming "this is only about 5% of total data volume" stolen, which would mean it had exfiltrated 740GB of data.
In a post to its Tor-based data leak site, Ragnar Locker says it didn't encrypt any of the healthcare organization's systems.
Officials at Azienda Ospedaliera di Alessandria, or AOAL, didn't respond to a request for comment. While the organization's website remained offline much of the week, by Friday it appeared to once again be fully operational.
Ragnar Locker is known for not just hitting victims with ransomware but also practicing double extortion, which refers to the practice of exfiltrating data and threatening to release it unless victims quickly pay a ransom.
The group's previous victims include Greek national natural gas pipeline operator DESFA, Japanese computer game company Capcom and TAP Air Portugal.
Via its data leak site, Ragnar Locker says it didn't encrypt any files at AOAL. The group states: "Nothing has been encrypted in the network of 'AOAL' … however, we should say that we have obtained full access, absolutely everywhere, literally to each virtual machine. Moreover, even 130 domain admins was unable to prevent the leak of about 1TB of data."
The group appears to be continuing to try to extort the organization. "The full data volume will be leaked if the management of the 'AOAL' will keep ignoring this issue and do not get in touch with our team," Ragnar Locker says.
The criminals claim they reached out directly to hospital staff: "We has also ask some of employees during phone calls about the incident but they answered that they didn't heard about any breach. So, they were asked to review the evidence in Live Chat and we have repeatedly tried to make it clear that hundreds of thousands of personal data have been compromised due to their negligence."
The criminals add: "Our advise is to replace the entire IT staff and have them undergo proficiency tests and check them for budget wasting as well."
Take all such posturing and self-serving announcements with a big grain of salt, says Brett Callow, a threat analyst at security firm Emsisoft who closely tracks ransomware groups' activities.
"Ransomware actors often try to paint themselves as pen testers or bug bounty hunters rather than the conscienceless scumbags that they actually are," Callow tells Information Security Media Group. "Why do they do this? It's all about PR and branding. They think that organizations may be less likely to want to hand money to the type of evil criminals who are happy to put lives at risk by carrying out financially motivated attacks on hospitals."
Callow says the same groups will often threaten any victim who attempts to involve law enforcement or government incident response teams. "It's much like kidnappers telling victims' families not to call in the police," Callow says. "The kidnappers don't want the police involved because it decreases the chance of them being paid and increases the chance of them being busted."
Ongoing Attacks Against Healthcare
The Ragnar Locker attack on AOAL is a reminder that whether or not they claim to have encrypted files, ransomware-wielding attackers continue to hit healthcare organizations, disrupting operations and directly putting patients' lives at risk (see: Healthcare: Essential Defenses for Combating Ransomware).
Another healthcare attack that recently came to light involved Louisiana's Lake Charles Memorial Health System, which appeared to fall victim to a crypto-locking malware attack on Oct. 25. LCMHS last week notified the U.S. Department of Health and Human Services' Office for Civil Rights about the breach and began to send letters to 270,000 patients and employees, warning them that attackers had stolen a variety of personal data, including medical records, and leaked at least some of it.
This week, Toronto's Hospital for Sick Children warned that following a Dec. 19 ransomware attack, patients are still experiencing treatment and diagnostic procedure delays and that full systems recovery likely remains weeks away (see: Children's Hospital Expects Weekslong Ransomware Recovery).