For ethical reasons we did not want to spread the news of the attack on the hospital's IT infrastructure before the news became public knowledge. Indeed, on December 20, SuspectFile had already become aware of the ransom note written by the Ragnar_Locker group.
Ransomware-type cyber attacks against hospitals around the world continue, this time an Italian hospital, the “Azienda Ospedaliera di Alessandria” (AOAL), suffers the loss of data.
The Ragnar_Locker ransomware group, after entering the hospital’s computer systems, exfiltrated administrative documents and medical records of hospitalized patients.
In the ransom note cybercriminals write
HELLO Hospital!
If you reading this message, it means your network was PENETRATED and your most sensitive files were COMPROMISED
Ragnar_Locker warns that the exfiltrated data will be made public if a deal is not opened, or if the hospital decides to contact third-party negotiators such as the FBI, Police or data recovery companies.
In the note there are two disturbing passages, the first relating to the theft of about 1TB of sensitive data and above all the possibility by Ragnar_Locker to block all the AOAL structures making the data present on the servers unusable. A possibility, reads the note, which they did not want to consider just so as not to endanger the health of patients.
[ YOU HAVE TO CONTACT US via LIVE CHAT IMMEDIATELY TO RESOLVE THIS CASE AND MAKE A DEAL ]
…
**** WARNING ****
DO NOT Hire any third-party negotiators (recovery/FBI/police and etc), otherwise we will close chat immediately and Publish your Data.
With this message we want to let you know that we have obtained access everywhere in your network
…
However, we didn’t do that only because of willing to avoid interruption in hospitals normal business processes and don’t put health of the patients under risk.
But unfortunately, you have allowed data leak, about 1TB of personal data was compromised. So, your clients didn’t get the required protection.
On November 29, a press release was published on the hospital website informing that, due to (translated into English)
“… some disruptions in the IT infrastructure, admissions for laboratory analysis tests throughout the province are temporarily suspended. The Hospital is working to fix the problem. It should be noted that emergencies and laboratory tests are guaranteed for the wards”.
We cannot say with certainty whether or not the two things are related, but we are certain that the ransomware group was already inside the IT facilities of the Alessandria hospital on November 28 and remained there until at least December 17.
On December 20 Ragnar_Locker writes the first message in the chat and asks the hospital to respond, informing him that the SQL database is compromised as well as the personal information of hundreds of thousands of patients and financial ones that could be published very soon on the media.
In another message from the chat, the cybercriminals claim, in the event of non-negotiation, that they may still be able to encrypt the entire AOAL computer network, which would lead to the blocking of normal hospital operations. In the December 22nd message Ragnar_Locker states that they still have ways of being able to access different hosts and servers.
After a few minutes, a new message is published, this time written in Italian language, addressed to the IT manager of the Alessandria Hospital. The message repeats the threats that the ransomware group makes to AOAL if it fails to negotiate.
… Vi preghiamo di prestare attenzione a questo messaggio, perché potrebbe costarvi la vostra reputazione e il vostro futuro.
La vostra rete non è stata criptata, ma solo perché non vogliamo interrompere le normali operazioni dell’ospedale. Tuttavia, avremmo potuto (e possiamo ancora) farlo, poiché abbiamo ottenuto l’accesso completo alla vostra intera rete, quasi ogni host e server è un bersaglio aperto per noi. Le vostre misure di sicurezza sono al livello più basso.
I vostri sistemi funzionano solo perché abbiamo a cuore la salute dei vostri pazienti. Tuttavia, sembra che a voi non importi quanto a noi dei vostri pazienti.
Abbiamo scaricato circa 1 TB di dati dalla vostra rete, informazioni mediche private sui vostri pazienti, interventi chirurgici, diagnosi, studi e altro ancora.… Vogliamo che questo messaggio venga recapitato al vostro specialista IT, che sappiamo chiamarsi [redacted].
Signor [redacted], la preghiamo di prendere la cosa sul serio e di spiegare la gravità della situazione alla sua direzione. Se non lo farà, tutti i dati (circa 1 TB) saranno pubblicati, i suoi partner, i suoi pazienti e anche i giornalisti e i media saranno informati di questa fuga di dati e, soprattutto, il suo nome sarà quello del dipendente che ha valutato la situazione come non pericolosa. Quindi, sarete personalmente responsabili di una fuga di dati di tale portata. In base alla nostra esperienza possiamo sicuramente affermare che il vostro caso farà rumore e diventerà famoso in tutta Italia e anche oltre i suoi confini. Siamo certi che, per la fuga di dati così sensibili, le autorità di regolamentazione vi puniranno con multe e sanzioni.
Five hours later Ragnar_Locker uploads a data file in his possession (Proof_Pack.zip), inside the compressed file two other files AOAL_SQL_File-Tree.txt and Partial_File-tree.txt it would be useful to understand which “security policies” has adopted the IT department regarding the possibility for a User to be able to log in, for example, even with Administrator privileges.
At the time of drafting this article (12.28.22), Ragnar_Locker hasn’t yet posted the news or any files testifying to the data theft on his blog, but SuspectFile can state that around 26MB of data (53 files) with various anamnesis of patients being treated in the various departments of the Piedmontese hospital, health services, complete personal data of patients and financial documents are really in the possession of the group of cybercriminals.
Inside the ransom note (!_^_README_NOTES_RAGNAR_^_!.txt) in fact, in addition to the URL for being able to connect to the trading chat, Ragnar_Locker inserts a second URL with access password from where it is possible to download the 53 files. On the page named by the ransomware group “Temporary Private Leak Post#00012983-o2” there are also 10 screen shots referable to sensitive hospital documents.
On December 26, on a hidden page of his blog (the first URL in the ransom note), Ragnar_Locker published a message where he warned AOAL that the time for negotiation was over and that he would soon publish the news together with the exfiltrated data.
Update
Yesterday afternoon, December 28, the Ragnar_Locker ransomware group published the news of the computer attack against the Alessandria hospital on its blog.
in the post, in addition to two new documents, the same screen shots that were previously included in Temporary Private Leak Post#00012983-o2, the page mentioned above, are made public. In the note published on its blog, the ransomware group also inserts a link to 32 GB of stolen data, 5% according to Ragnar_Locker of the total data exfiltrated during the cyber attack.
SuspectFile is at the complete disposal of anyone who wants to issue statements/denials on this case.