Getty Images

Ransomware: Extortion Actors Leak Data, Vendor Attack Disrupts Services

Ransomware threat actors have been busy in the last month, posting data from at least nine healthcare providers and attacking a third-party vendor -- leading to care disruptions.

Ransomware threat actors are continuing to target the healthcare sector in droves. In the last month alone four hacking groups have posted data allegedly stolen from nine healthcare providers, while an attack on a vendor disrupted care at two cancer treatment facilities.

On Tuesday, a ransomware attack on vendor Elekta drove two of its providers offline, in the wake of the incident. A spokesperson told HealthITSecurity.com that the attack on its cloud-based systems was detected in the early hours of April 6.

The security team took actions to contain the attack and identified two customer systems affected by the incident. Local media outlets say the attack impacted Lifespan in Rhode Island and Southcoast Health in Massachusetts.

Both providers were forced to cancel some radiation treatment appointments, due to the system outage. The visits were rescheduled for later in the week, and access for both providers has since been restored.

“This issue was only isolated to a subset of US Cloud Customers due to our Geographical and Service Segmentation in Cloud Services,” an Elekta spokesperson said in an emailed statement. “No other Elekta servers, services or products have been affected.”

“This appears to have been a ransomware attack intended to encrypt the data stored on this system,” they continued. “There is no evidence that any data were extracted or copied, and we do not believe that the hackers have any of the stored data in their possession.”

The investigation has deduced that the attackers hit its Citrix server with a Cobalt Strike package to encrypt the data stored on the system.

Attackers have been actively targeting vulnerabilities in the system for more than a year to gain access to networks. Cobalt Strike was most recently used in the supply chain attack against SolarWinds Orion.

Elekta has since isolated the account and server, and contained the threat. The team will continue to perform a forensic review to find the source of the attack.

“Elekta recognizes the inconvenience this suspension causes to its customers and to the patients these customers serve,” the spokesperson said. “Elekta is committed to advancing patient care and outcomes and understands that any delay in scheduled radiation therapy adds to patients’ treatment burden.”

Current Data Exfiltration Attempts

Data exfiltration is now occurring in the majority of ransomware incidents, as cybercriminals continue to improve attack methods for larger payouts. While the Maze hacking group first popularized data exfiltration, the group has since disbanded and others have quickly moved to fill the gap.

Healthcare victims are prime targets given their access to sensitive data stores, as well as the need for continual data access.

Data extortion efforts against healthcare-related entities continue to be a massive challenge, particularly in light of the recent data theft of multiple organizations after a hack on Accellion’s File Transfer Application (FTA).

Clop ransomware actors are believed to be behind the attack, which exploited four older vulnerabilities to gain access and steal data from about a range of clients. As noted in earlier reports, the hackers have moved to directly targeting the victims, instead of Accellion.

The group is known for its shady dealings and indiscriminate targeting of the healthcare sector, despite the pandemic response

In the last month alone, the attackers leaked data tied to the Accellion incident from multiple healthcare entities that include: Danaher, a technology manufacturer, including medical devices; Steris, a medical equipment vendor; CSA group; and Wright Medical Group.

Meanwhile, the Avaddon hacking group recently shared data proof from Mevion Medical Systems in Massachusetts. The actors posted email contacts and threatened to leak additional data in nines days if the entity does not pay the extortion demand.

The group also leaked data from Georgia-based Prestige Medical Group. They claim to have stolen medical information of clients, financial data, doctors’ notes, and employee information, in addition to other sensitive information.

Nearly a month ago, Avaddon posted data allegedly stolen from AlohaABA, a practice management service provider for the healthcare sector.

In addition, the attackers behind the Astro variant recently posted that they’ve stolen data from Eduro Healthcare.The stolen data has not yet been leaked. Rather, the hackers posted a message to serve as a warning or threat ahead of sharing potential proofs of data theft, commonly used in extortion attempts.

Lastly, the DarkSide hacking group posted data they claim to have stolen from Tennessee’s Prime Health Services, more than two weeks ago.

The screenshots shared with HealthITSecurity.com show the data trove includes client data, business agreement details, mail correspondence, cooperation terms, operations data, and new client forms, among other sensitive files.

Healthcare entities should review previous ransomware guidance to close any security gaps. Data inventories and patch management processes should also be assessed, as threat actors continue to exploit vulnerable endpoints to gain access to networks.

Next Steps

Dig Deeper on Healthcare data breaches