Ontario hospital group confirms attack was ransomware

The Daixin Team ransomware gang is taking credit for attacks that have hobbled five Southwestern Ontario hospitals that share a service provider.

The gang has also started posting what it says are 5.6 million records with personal and health information including names, Social Insurance numbers and patient treatment information.

Usually a ransomware gang will only start posting data if an organization refuses to pay a ransom or if negotiations have broken down.

As we reported on Oct. 24, the institutions in the group — Bluewater Health of Sarnia, Chatham Kent Health Alliance, Erie Shores HealthCare of Leamington, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital, along with shared service provider TransForm Shared Service Organization — were hit by a cyber attack that forced the curtailment of some healthcare services.

This week, Transform confirmed this was a ransomware attack. “We have determined through our investigation that, unfortunately, certain patient, employee and professional staff data has been taken and there is the possibility that the actors responsible for this attack may publish some of the stolen data,” it said in a statement.

“We continue to work around the clock to restore systems, and we expect to have updates related to the restoration of our systems in the upcoming week. We are working closely with law enforcement – including local police departments, Ontario Provincial Police, Interpol and FBI – and we have notified all relevant regulatory organizations including the Ontario Information and Privacy Commissioner.”

The Daixin posting was reported on X by Canadian-based Emsisoft threat analyst Brett Callow. In its message about the availability of the stolen data, the Daixin gang boasts that the information can be used for “a variety of crimes including opening new financial accounts, taking out loans…phishing and hacking… filing fraudulent tax returns, obtaining drivers licences” and more.

The healthcare sector is seen by crooks as vulnerable to pressure because of the sensitive medical information they hold. In the U.S., hospitals will likely have patients’ payment card data, while crooks may be betting that hospitals here will ask provincial governments — which largely fund healthcare — to bail them out.

According to a 2022 report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Daixin Team has been actively targeting U.S. businesses, predominantly in the healthcare and public health (HPH) sector, with ransomware and data extortion operations.

Typically, CISA says, Daixin gains initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. In another, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.

Healthcare institutions are finding it harder to fighting ransomware, if a report released this week by Sophos is accurate. Twenty-four per cent of healthcare organizations said they were able to disrupt a ransomware attack before the attackers encrypted their data. That was down from 34 per cent in 2022. This is the lowest rate of disruption reported by the sector over the past three years.

Also, healthcare respondents this year took longer to recover than in 2022. Only 47 per cent said they recovered from an attack in a week, compared to 54 per cent last year.

Compromised credentials were the number one root cause of ransomware attacks against healthcare organizations, followed by exploits.

The Sophos State of Ransomware 2023 survey polled 3,000 IT/cybersecurity leaders in organizations with between 100 and 5,000 employees, including 233 from the healthcare sector, across 14 countries in the Americas, EMEA, and Asia Pacific.