Gorodenkoff - stock.adobe.com

Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities

Recent dark web postings of data allegedly stolen from healthcare entities show that ransomware extortion threat actors will continue to target healthcare in 2020.

In the last few weeks, the ransomware hackers behind Conti, Babuk, and Avaddon leaked data they claim to have stolen from at least five healthcare entities, which should serve as a warning to the sector that extortion attempts will continue to plague the sector in 2021.

Avaddon ransomware actors recently published about 2.09GB of data allegedly stolen from New Jersey-based Bridgeway Senior Healthcare, including financial information on the organization and its employees and tax information.

The post warns the entity that they intend to publish further proofs within the next week if the provider refuses to pay their demand. According to the post shared with HealthITSecurity.com, some files remain encrypted on Bridgeway Senior’s network.

The group also posted data allegedly exfiltrated from AlohaABA, a practice management vendor based out of Los Angeles.

Meanwhile, the notorious Conti threat actors leaked data they claimed to have stolen from Livanova, a UK medical technology company. The proofs shared with HealthITSecurity.com include files named unbilled claims data, driver’s licenses, credentialing application, and notification letters.

Lastly, a relatively new ransomware group known as Babuk posted data they claim to have stolen from Cardiva Medical, a medical device company based in California.

The published proofs include its personnel directory, 83GB of accounting data, 44GB of engineering data, 30GB of doc control information, 14GB of HR data, and 20GB of financial data.

Babuk Insights

Babuk first emerged this year leveraging recruitment advertisements on the dark web to find skilled “individuals with pentest skills,” according to McAfee. It appears the group is operating as a ransomware-as-service group, though researchers are still unclear as to its initial compromise points.

The group is also known as Babuk Locker and initially Vasa locker, Cyberint found. Babuk’s leak sites claim that the hackers will not target hospitals and nonprofit charities, and it will attempt to avoid entities with an annual revenue of less than $4M.

As of February 23, Babuk had already claimed at least five big enterprises, with at least one paying the criminals $85,000 after negotiations.

“As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise,” McAfee researchers wrote. “McAfee was able to plot the telemetry of targets, revealing that the group is currently targeting the transportation, healthcare, plastic, electronics, and agricultural sectors across multiple geographies.”

“Defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant,” they added. 

McAfee also recommended administrators monitor for abnormal behavior within non-malicious, dual-purpose tools, including those for enumeration and execution.

Extortion Trends

The Maze ransomware hacking group first popularized extortion in 2019 and other groups soon followed the trend in early 2020 and throughout the year, including hackers like NetWalker. 

While some groups purported that healthcare would be off limits during healthcare, most hackers continued to target all vulnerable systems -- including those in healthcare. By September, ransomware surged with attacks on Universal Health Services and dozens of other healthcare providers.

As recently reported by Covewave, data extortion attempts are now occurring in 70 percent of all ransomware attacks -- a 20 percent increase from Q3 and Q4 2020. At least 76,741 extortion attempts were reported to the FBI in 2020 alone.

During the last quarter of 2020, researchers observed a rise in secondary infections against healthcare victims. These long-term campaigns are likely behind the surge in data extortion attempts, which are fueling the cybercrime market.

New Emsisoft data for 2020 ransomware incidents showed the leading variants were STOP(Djvu), Phobos, Dharma, and REvil or Sodinokibi.

Overall, at least 506,185 ransomware incidents were reported to Emsisoft in 2020. Researchers estimate that the data represents just 25 percent of all global incidents.

“The security challenges of COVID-19 were exacerbated by threat actors’ rapid uptake of data exfiltration,” Emsisoft researchers wrote. “Inspired by data-leak pioneers Maze, dozens of other ransomware groups began incorporating data theft into their attacks and using the stolen data as leverage to coerce victims into paying.” 

“Non-payment usually resulted in the stolen data being sold, auctioned, or, more commonly, published on the attacker’s leak site for all to see,” they added.

Healthcare entities should continue to be on the alert for indicators of compromise, as hackers frequently gain access to victims’ networks long before deploying the ransomware payload. As phishing and remote desktop protocols (RDP) are the leading entry point, security policies and technologies should focus on those key areas.

Next Steps

Dig Deeper on Healthcare data breaches