The LockBit ransomware gang claims responsibility for an attack on a Chicago children’s hospital, in an apparent deviation from its previous policy of not targeting nonprofit organizations.
Having fallen to a new low, the criminals are apparently unwilling to call off the attack on Saint Anthony’s Hospital, as they have done in previous cases, such as that of Toronto’s SickKids Hospital.
Furthermore, it appears that a non-profit hospital has the funds to pay a sum of $800,000. ransom. Saint Anthony Hospital has not explicitly stated whether or not it will pay, but with such a large sum, it is very unlikely that it would ever consider paying, let alone have the funds to do so. do it.
The payment deadline has been set for February 2 at 01:41 UTC. A payment of $1,000 would extend the deadline by 24 hours, and $800,000 is the price assigned to the data – this applies to both destruction and purchase. by other parties.
Saint Anthony Hospital confirmed the attack via a statement released this week, saying files containing patient information had been copied by an unknown attacker. The hospital did not specify the nature of the data stolen but confirmed that no medical or financial records had been accessed.
The LockBit intrusion began on December 18, but the hospital’s internal investigation did not conclude until January 7 that patient data had been compromised. Meanwhile, the hospital said it has taken immediate steps to secure its network and ensure continuity of patient care.
“Saint Anthony considers cybersecurity and the confidentiality of information about the patients in its care to be top priorities,” it says. said (PDF). “Our rapid response to this event allowed us to continue providing patient care without interruption.
“As part of Saint Anthony’s ongoing commitment to data privacy, we are working to review existing policies and procedures and implement additional ones as necessary. Saint Anthony promptly reported this incident to the FBI and is cooperating with its investigation. We have also reported this incident to the appropriate regulators, including the U.S. Department of Health and Human Services.
As the review of the incident progresses, the hospital said it will notify those it believes are affected by the data theft. Until then, all patients are advised to remain vigilant against attempts at identity or financial fraud and sign up for a free year of credit monitoring.
LockBit had in some cases shown a degree of restraint in targeting hospitals and other non-profit organizations, but nevertheless appears to be loosening the chains of its affiliates, allowing them to target any organization they are able. to rape.
In response to an affiliate who attacked Toronto’s SickKids hospital last yearLockBit officially apologized, released a free decryptor, and reportedly kicked this affiliate from its program for violating the rules.
In a blog post this week about the leaks, LockBit said: “US hospitals continue to put their greedy interests ahead of those of their patients and customers. »
We were unable to contact the gang’s spokesperson to ask about the attack and the change in approach, but malware collectors at vx-underground were under the impression that LockBit was ignoring the fact that Saint Anthony was a non-profit organization. , or simply didn’t care.
When asked about the reasons for the attack, the gang reportedly responded by sending the hospital’s financial information, suggesting that they thought it was a legal entity or that they were confusing the meaning of “to non-profit” for an organization that does not generate any income.
Saint Anthony’s website clearly states that it is “an independent, not-for-profit, faith-based, acute care community hospital.” The decision to continue the attack therefore appears to be nothing more than a senseless cash grab.
“If you try to educate and present information to LockBit administrative staff about nonprofit laws in the United States, they will state that the organization is corrupt and imply (directly or indirectly) that “This is a money laundering operation and the facility is dirty and deserves to be redeemed.” said vx-underground.
“In short: the rules are just a facade.”
Similar ignorance was demonstrated by LockBit executives in attacks on the education sector, responding casually by saying: “If they have money to buy computers, they have money to to pay me. »
Jake Moore, global cybersecurity advisor at ESET, said cybercriminals will always pursue attacks that align with their business objectives.
“While ransomware gangs have chosen to avoid organizations like hospitals and nonprofits in the past, business is business and criminal objectives are no different.
“The evolution of cybersecurity over the last decade has proven that criminal gangs have also had to change direction in terms of how they attack and conquer financially. Ransomware became a different beast where data became even more central to how it was used. become a weapon of extortion rather than relying solely on an encryption attack followed by ransom demands.
“No one is safe from these attacks, whether they are targeted or part of broader campaigns. Companies should never believe themselves to be infallible due to the nature of their business, nor reduce the best possible protection that they can. ‘they have to offer.’ ®