Mount Locker Ransomware Actors Claim Sonoma Valley Hospital Attack
The actors behind Mount Locker ransomware claim responsibility for the attack on Sonoma Valley Hospital, leaking 75GB of alleged data from the provider; email hacking, another Blackbaud victim, and a phishing incident complete this week’s breach roundup.
By - Mount Locker ransomware threat actors claim to be behind the cyberattack on Sonoma Valley Hospital, leaking data they allegedly stole from the California provider prior to deploying the malware payload more than three weeks ago on October 11.
Initially, the attack was reported as a significant downtime event that impacted all of the hospital’s computer systems. The latest update provided by Sonoma Valley on October 30 confirmed it was a ransomware attack.
The IT team has partnered with outside experts and law enforcement on its investigation and recovery efforts.
Operations and patient care have been maintained throughout the incident, due to Sonoma Valley’s business continuity plan. Most diagnostics continued without interruption, and the patient portal remained available, though no new results have been posted since the attack was launched.
Immediately following the attack, the systems were taken offline to stop the spread. Officials said they successfully prevented the attack from blocking system access and expelled the attackers from the system.
READ MORE: Wakefern, ShopRite Pay New Jersey $235K for Fraud Act, HIPAA Violations
But before system access was blocked, the attackers may have removed a subset of data from the network. Officials said they did not pay the ransom demand. The data leak by Mount Locker appears to confirm data was stolen prior to the ransomware deployment.
Mount Locker is the latest hacking group to jump on the double-extortion bandwagon, where attackers gain a foothold on a network, proliferate to all connected devices, and gather sensitive data, sometimes lurking on the network for days and up to months before deploying the final ransomware payload.
The group was first spotted in the wild in July 2020, according to UK National Health Service Digital. Mount Locker is an enterprise targeted ransomware tool, wherein its hackers attempt to extract a seven-figure ransom from victims by threatening to leak the stolen data.
Reports suggest the ransomware is distributed as a secondary payload, but it remains unclear how Mount Locker is delivered.
“Once present on a target system, Mount Locker will attempt to extract sensitive files, before encrypting all local non-system files using ChaCha20,” NHS Digital researchers wrote. “An embedded RSA-2048 key is then used to encrypt the keys used by ChaCha20.”
READ MORE: Microsoft: Threat Actors Exploiting Unpatched Windows Zerologon Flaw
“Files extracted by Mount Locker are then used by its operators to coerce victims into meeting their ransom demands, with those who do not having their data published on a data leak site,” they added.
Sonoma Valley previously stated they have not paid the ransom demand and are continuing its recovery efforts following the attack.
Centerstone of Indiana, Tennessee
Centerstone is notifying a total of 62,603 patients that their data was potentially breached after multiple employee email accounts were hacked in December 2019. Centerstone is a nonprofit health system that provides mental health and substance use disorder treatments across the country.
The notice does not explain the 11-month gap between the breach and the notice, nor when the hack was first discovered. Under HIPAA, covered entities have just 60 days to report protect health information breaches impacting 500 or more patients.
Centerstone launched an investigation after unusual activity was detected in an employee email account. On August 25, the investigation determined multiple employee email accounts were hacked for four days between December 12 and December 16, 2019.
READ MORE: Ransomware Wave Hits Healthcare, as 3 Providers Report EHR Downtime
Further, officials determined the impacted accounts contained personal and protected health information, including names, Social Security numbers, dates of birth, driver's licenses or state identification card numbers, medical diagnosis and treatments, Medicaid or Medicare information, and or health data. The compromised data varied by patient.
Only the Indiana and Tennessee Centerstone sites were impacted by the incident. According to the Department of Health and Human Services breach reporting tool, 50,965 Centerstone of Tennessee patients and 11,638 Centerstone of Indiana patients were affected.
In response to the hack, Centerstone has invested more than $800,000 to upgrade its IT security infrastructure, which includes new software applications and security appliances. Officials said they’re working with independent advisors on a security audit and gap assessment to determine whether other security upgrades are needed.
Centerstone is also evaluating its policies and procedures and providing its workforce with additional IT security awareness training.
Moffitt Cancer Center added to Blackbaud Breach Tally
About 95,695 individuals connected to the Moffitt Cancer Center have been added to the massive tally of breach victims from the Blackbaud security incident, which has already affected more than 10 million individuals from the healthcare sector.
Blackbaud is a cloud-computing computing vendor for a range of nonprofits, foundations, corporations, education institutions, healthcare entities, and change agents. Northern Light Health Foundation in Maine became the first victim to report the incident in mid-August, which impacted 657,392 of its donors, potential donors, and patients.
The vendor discovered a ransomware attack on May 14, which continued for six days until its cybersecurity team was able to stop the attack with help from law enforcement and an outside forensics team. Reports show the hack lasted from February until late-May.
Blackbaud stopped the attackers from fully encrypting files and later blocked their system access. However, the attackers exfiltrated a subset of data from Blackbaud’s self-hosted environment before they were locked out of the system. The vendor then paid the ransom with “confirmation the copy they removed had been destroyed.”
The compromised data varied by impacted client but Blackbaud later reported that some Social Security numbers were also breached. At least 23 class-action lawsuits have been filed by victims since the severity of the breach has come to light.
For Moffitt, Blackbaud reported that the attacker may have acquired the backup database that manages the cancer center’s donor information. Some patient information may alson have been stored in the impacted database, including names, contact details, dates of birth, gender, provider names, provider specialty, and that the individual was a patient of Moffitt.
Social Security numbers and financial information from a limited number of individuals were also compromised. The cancer center is working with Blackbaud leadership to review data storage and to ensure the security measures effectively protect patient and donor data.
Moffitt joins a massive list of healthcare entities affected by the Blackbaud hack, including Children’s Hospital of Pittsburgh Foundation, Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000 total individuals, of which 179,189 are patients), Main Line Health (60,595), Spectrum Health (52,711), and Northwestern Memorial HealthCare (55,983), and 1 million patients from Inova Health System, among a long list of other providers.
Ascend Clinical Phishing and Ransomware Attacks
Ascend Clinical recently notified 77,443 individuals that their data was compromised after a phishing incident that led to a ransomware attack in May.
On or about May 31, Ascend Clinical detected abnormal activity on some data systems, including encrypted data. An investigation was launched, which found the attacker first gained access to the system by deploying a successful phishing scheme that provided them with personal employee information.
Ascend determined the attackers gained access to employee files, including names, dates of birth, mailing addresses, and Social Security numbers. Local and federal law enforcement was notified, while the provider retained a third-party cybersecurity firm to investigate the scope of the incident.
“Ascend internal teams worked diligently with forensic consultants to restore and secure the impacted systems. This included the installation of forensic tools on all systems and the isolation of impacted systems until Ascend could confirm that they were secure,” officials said in a statement.
“Ascend also implemented additional countermeasures to block further ransomware emails from entering the environment and further upgraded its security measures to prevent future attacks,” they added.
