Cybercriminal group claims responsibility for ransomware attack as hospital CEO says recovery will take weeks - Action News
Home WebMail Tuesday, November 26, 2024, 04:08 AM | Calgary | -17.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Windsor

Cybercriminal group claims responsibility for ransomware attack as hospital CEO says recovery will take weeks

Twelve days into a ransomware attack that has upended health-care services at five hospitals in southwestern Ontario, a cybercriminal group claimed responsibility in an online blog, describing how the attack happened and what it says are the millions of private patient records it has stolen.

Group claims millions of patient records stolen

A person holding a phone looks at a website that says Daixin.
This is a screenshot of cybercriminal Daixin's webpage on the dark web. Daixin has claimed responsibility for a ransomware attack that has stalled care at five hospitals in southwestern Ontario. (Chris Ensing/CBC)

Twelve days into a ransomware attack that has upended health-care services at five hospitals in southwestern Ontario, a cybercriminal group claimed responsibility in an online blog, describing how the attack happened and what it says are the millions of private patient records it has stolen.

In a report to Windsor Regional Hospital on Thursday, chief executive officerDavid Musyj said the hospital is slowly getting back on track, working hard to restore services. He noted although the impacted hospitals "closely examined" the ransom demand from the cybercriminals, they decided against paying it.

"We knew ... that we could not trust the promise of a criminal to delete this information," he said.

"We learned that payment would not speed up the safe restoration of our network."

It's the first time Musyj has spoken about the attack, and his message served as a counter to the claims of the cybercriminals, who bragged about the extent of the damage in an online blog.

After the hospitals refused to pay, the hackers followed through on their threat of releasing a portion of private health information.

A low angle of a tall, hospital building.
During a hospital board meeting Thursday, Windsor Regional Hospital CEO David Musyj says recovery will take weeks, but that staff are working hard to make sure the hospital is restoring delayed service to patients. (Mike Evans/CBC)

Details about that exposed personal information, along with the cybercriminal group that has claimed responsibility for the attack, have been released in an article from DataBreaches.net a website run by a retiredlicensed health-care professional who lives in New York state.

CBC News spoke with the author of the website and has agreed to keep them anonymous to protect their safety.

The author, who goes by the pseudonym Dissent Doe, saidthey don't have expertise in cybersecurity, beyond having reported on the issue in their online blogs since 2006.

CBC News has verified Dissent's identity.Brett Callow, a threat analyst for anti-virus software company Emsisoft, says while the site and Dissent have a track record of reliability for its reporting on cyberattacks, the specific claims hackers make to it should be taken with some skepticism.

A man sits in front of a door.
Brett Callow is a threat analyst for anti-virus software company Emsisoft. Callow says his understanding is that Daixin is a fairly small group that started mid-2022. (Jennifer La Grassa/CBC)

Daixin cybercriminal group claims responsibility

Multiple police organizations, including Interpoland the FBI, continue to investigate the cyberattack, whichstalled essential health-care services for thousands of people in Windsor-Essex, Chatham-Kent and Sarnia. The attack on the hospitals' IT provider TransForm forced internal health systems to be shut down at all five hospitals, causing staff to resort to using paper charting.

Since the attack began, cancer patients have had to receive care at other hospitals in the province, staff payroll has been disrupted and, as recently as Wednesday evening, personal health information has been published on the dark web.

According to Dissent's reportingon DataBreaches.net, the group thatclaimed responsibility for the attack is called Daixin.

Dissent saidthey don't know where the group is based or how many people are behind the operation.

Callow told CBC News the group first started operating in mid-2022 andhe believes it is a fairly small group, as they haven't been very active and don't have a lot of victims. But he saidit has been identified by the United States' Cybersecurity and Infrastructure Security Agency (CISA) and the FBI as a group of concern that tends to target the health-care sector.

"They are very much a known threat," he said.

He notesthese groups can exaggerate the truth in order to put extra pressure on hospital systems to pay the ransom they are demanding.

A hospital bed with a white sheet and monitors around it.
Scans and procedures at the five impacted hospitals have been delayed or cancelled due to the ransomware attack that began Oct. 23. (CBC Windsor)

"We cannot assume that Daixin are telling the truth. Their intention will be to show the hospital in a bad light," Callowsaid.

CBC News reached out to TransFormabout the Daixin-connection and details of the attack, but it said it won't be commenting further.

Millions of health records stolen, published on dark web

In Dissent's blog, the group claims the stolen data involves more than 160 gigabytes of 5.6 million records of personally identifiable information and protected health information. The dump also allegedly includes sensitive documents, like scans, from internal servers.

Daixin leaked a portion of the data on the dark web Wednesday evening. Itincludes scans of patient information like records and claims.

The cybercriminal group also told DataBreaches.net that it has destroyed IT provider TransForm's backups, though Dissent saidit's unclear whether they have obtainedall of the backups.

"Like most ransomware groups now, they both steal a copy of the data as well as encrypting or locking the computers from which it was stolen," said Callow.

Daixin allegedly gained access to TransForm's systems a week before launching the attack on Oct. 23, according to Dissent's blog.

The cybercriminal group says it took a few hours to gain control of the system. It told Dissent that TransForm had "expensive" software to detect intruders, but claims that similar passwords across administrators made them vulnerable.

In response to Dissent asking whether the group was directly in the hospital's networks, Daixin is quoted as responding with, "The networks were completely transparent we could go anywhere."

Daixin told Dissent that TransForm knew the cost of the ransom on the second day of the attack, but it wouldn't reveal that amount to Dissent.

According to Callow, ransom demands can range fromthousands to multiple millions of dollars.

"In this particular incident, I would be surprised if they were asking for less than $1 million."

Hospital pleads to be left alone in alleged messages to cyber group

In a screenshot that Daixin sent to Dissent that is now published on their blog, the cybercriminal group can be seen messaging with "Bluewater Health and others."

In the message, the hospital's negotiator says they are trying to restore their operations and will recover from this. It says the hospital cannot pay and adds "but please know this: cancer treatment is being cancelled. Surgeries are being postponed. Our patients are hurting."

The hospital pleads with the "admin" user and asks that they "delete the data and leave us alone."

A photo of a sign for Bluewater Health
In a screenshot of messages that Daixin sent to Dissent, it shows the group's communication with a hospital negotiator. The messages show the hospitals pleading with the cybercriminal group to delete the data they have. (Kerri Breen/CBC)

In response, Daixin saysthe hospital will end up paying more money to restore their systems than what it would cost to just pay the ransom.

"Either way we're not upset, we'll pour your data into our leak site after the timer expires," reads the message from admin.

According to Callow, even if institutions pay the ransom, "the recovery process isn't streamlined and isn't necessarily quick and easy."

When asked whether paying a ransom would make it more likely that TransForm would be hit with another cyberattack in the future, Callow said that's not accurate.

"The hospitals are absolutely making the right decision not to pay," he said.

"Ransomware attacks happen for one reason and one reason only, and that is that they are profitable. If other organizations took the same stance as the hospital and refused to pay, there'll be no more ransomware."

Dissent told CBC Newsthis situation is not uncommon andthe lack of sympathy is typical.

"They'll say, 'It's just business,' and they're not really feeling badly for patients whose data are stolen or exposed or patients whose appointments have to be rescheduled because of the disruption to services," they said.

Windsor Regional says recovery will take weeks

During Musyj's report to hospital board members, he noted the past 11 days have been a test to patients, community and employees, but saidit's a test his staff are passing and applauded the hard work that staff are doing to keep the hospital afloat.

Despite the digital disruptions, Musyj saidnot one ambulatory surgical procedure was delayed from the beginning and scheduled surgeries are close to being fully back on track.

He added the focus is on cancer patients and getting radiation treatments safely up and running, noting they are making progress on this.

Musyj said the hospitals are working with leading cyber experts and Ontario Health to get themselves in a place of stability.

No hospital board members asked questions about the attack.

Clarifications

  • This story has been modified to clarify that Dissent is still a licensed healthcare professional, but they are now retired.
    Nov 03, 2023 11:12 AM ET