Getty Images

Ransomware Hacking Groups Steal, Leak Data From 3 More Providers

REvil, Netwalker, and Conti ransomware hackers have once again posted proofs of data stolen in three separate provider hacks. One hack contains 600 GB of stolen data.

The hackers behind REvil, Netwalker, and Conti ransomware have once again posted personal and protected health information they claim to have stolen from three providers in separate, targeted cyberattacks in an effort to leverage a ransom demand from the victims. 

The latest data leaks demonstrate the prolific nature of the double extortion attack method, where an attacker gains a foothold onto a network, stealthily moving across the network through connected devices, and stealing data along the way. 

Once the hackers find the perfect timing, the ransomware payload is launched. If the provider refuses to pay the ransom demand, the hacking groups then post “proofs” of the data exfiltrated from victims to strongarm victims into paying a ransom to return the stolen data. 

If the victim agrees to negotiate a payment, the data is allegedly returned, and the proofs are then taken down from the dark web posting. When a victim refuses to negotiate, the hackers will continue to leak data and wait for payment from either the victim or another attacker to pay for the data lot. 

The latest dark web postings show data allegedly stolen from Beacon Health Solutions, Wilmington Surgical Associates, and Riverside Community Care. 

Beacon Health Solutions 

REvil hackers posted more than 600GB they claim to have stolen from Beacon Health Solutions, a HIPAA business associate that provides business process outsourcing solutions, as well as integrated health benefits and claims administration solutions. 

According to the screenshots shared with HealthITSecurity.com, the hackers hacked and encrypted all servers and working computers of the vendor. They allegedly exfiltrated a wide range of sensitive information, including personal details, financial documents, Social Security numbers of clients, bank documents, and phone records. 

The proofs contain scanned medical licenses, including one from Aeroflow Healthcare in North Carolina – complete with faculty IDs and license number. Another proof is a scanned accreditation certificate from a California provider. 

Some of the posted files refer to call center tickets, daily assignments, policy documents, terminations, all beacon clients, enrollment documents, and supervisor details. Other files refer to inventory lists, network and server information, computer drier details, and even server project information. 

The dark web posting shows a schedule for planned leaks in 10, 60GB increments. 

REvil hackers were behind the massive hack on California-based 10x Genomics in April, claiming to have stolen 1TB of data in the attack. The threat actors were also behind extortion attempts on insurer National Western Life, and Valley Health System in West Virginia, among others. 

Wilmington Surgical Associates

NetWalker attackers allegedly claim to have stolen about more than 13GB of data from Wilmington Surgical Associates. One proof shared with HealthITSecurity.com is about 4.83GB, containing at least 4,266 files and 478 folders from the North Carolina specialist. 

The files are named “Return DHHS Checks”, “2019 Photos”, “AdminScans”, “Dr Pictures”, “FORMS”, “Ins.Scan”, “Medicare Incentives”, “Vascular Lab”, and a host of other labels that appear highly sensitive in nature. 

Another lot contains 1.79GB of data, with 3,702 files and 201 folders, with what appears to be a range of employment files, while another lot names “Year End” includes 2.18GB of data with 11,249 files and 666 folders. There is also a lot of financial files that includes 5.57GB with 4,092 files in 226 folders. 

NetWalker hackers notoriously target the healthcare sector, with the FBI warning in July that the group was rapidly increasing their targeted attacks. The most notable attack in healthcare was against the University of California San Francisco, which paid NetWalker actors $1.14 million to release data stolen from its School of Medicine servers in June

Riverside Community Care

On October 21, Conti threat actors posted data they claim to have exfiltrated from Riverside Community Care in Massachusetts, a behavioral healthcare and human services provider, including child and family services. 

The proofs shared with HealthITSecurity.com include files with PDFs of driver’s licenses and incident reports, as well as employment information and documents. At the time of publication, the data lot had already been viewed by 19 individuals. 

Most recently, Conti threat actors posted data allegedly taken from West End Medical Center, now operating as Family Health Centers of Georgia, a nonprofit community health center and primary care medical home. The data was taken down shortly after it was published, presumably as the parties negotiated a fee. 

Double Extortion Threat

The Maze hacking group were the first to popularize the double extortion attack method. But other hacking groups quickly took to the extortion method, such as Sodinokibi and Pysa. The attacks focus on ensuring a payout for all successful hacks. 

The last month alone has seen dozens of these attacks, which federal agencies previously warned are becoming increasingly popular with nation-state actors. 

Microsoft recently reported that hackers are rapidly increasing the sophistication of their attack methods to improve the impact of successful hacks, while ransomware continues to be the dominate threat. 

These threat actors are primarily leveraging phishing emails, brute-force attacks on the remote desktop protocol (RDP), and virtual private networks (VPNs). 

Healthcare organizations must heed recent alerts to patch vulnerabilities, as hacking groups are actively scanning for open, vulnerable endpoints to find footholds onto victim networks. Routine monitoring is also crucial to quickly detecting successful hacks, while improve password management should be a top priority to defend against the rise in credential theft via phishing campaigns.

Next Steps

Dig Deeper on Cybersecurity strategies