Cybercriminal group stakes claim for ransomware attack on hospitals

Twelve days into a ransomware attack that has upended health-care services at five hospitals in southwestern Ontario, a cybercriminal group claimed responsibility in an online blog, describing how the attack happened and what it says are the millions of private patient records it has stolen.

In a report to Windsor Regional Hospital on Thursday, chief executive officer David Musyj said the hospital is slowly getting back on track, working hard to restore services. He noted although the impacted hospitals “closely examined” the ransom demand from the cybercriminals, they decided against paying it.

“We knew … that we could not trust the promise of a criminal to delete this information,” he said.

“We learned that payment would not speed up the safe restoration of our network.”

It’s the first time Musyj has spoken about the attack, and his message served as a counter to the claims of the cybercriminals, who bragged about the extent of the damage in an online blog.

After the hospitals refused to pay, the hackers followed through on their threat of releasing a portion of private health information.

Details about that exposed personal information, along with the cybercriminal group that has claimed responsibility for the attack, have been released in an article from DataBreaches.net — a website run by a retired licensed health-care professional who lives in New York state.

CBC News spoke with the author of the website and has agreed to keep them anonymous to protect their safety.

The author, who goes by the pseudonym Dissent Doe, said they don’t have expertise in cybersecurity, beyond having reported on the issue in their online blogs since 2006.

CBC News has verified Dissent’s identity. Brett Callow, a threat analyst for anti-virus software company Emsisoft, says while the site and Dissent have a track record of reliability for its reporting on cyberattacks, the specific claims hackers make to it should be taken with some skepticism.

Daixin cybercriminal group claims responsibility
Multiple police organizations, including Interpol and the FBI, continue to investigate the cyberattack, which stalled essential health-care services for thousands of people in Windsor-Essex, Chatham-Kent and Sarnia. The attack on the hospitals’ IT provider TransForm forced internal health systems to be shut down at all five hospitals, causing staff to resort to using paper charting.

Since the attack began, cancer patients have had to receive care at other hospitals in the province, staff payroll has been disrupted and, as recently as Wednesday evening, personal health information has been published on the dark web.

According to Dissent’s reporting on DataBreaches.net, the group that claimed responsibility for the attack is called Daixin.

Dissent said they don’t know where the group is based or how many people are behind the operation.

Callow told CBC News the group first started operating in mid-2022 and he believes it is a fairly small group, as they haven’t been very active and don’t have a lot of victims. But he said it has been identified by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the FBI as a group of concern that tends to target the health-care sector.

“They are very much a known threat,” he said.

He notes these groups can exaggerate the truth in order to put extra pressure on hospital systems to pay the ransom they are demanding.

“We cannot assume that Daixin are telling the truth. Their intention will be to show the hospital in a bad light,” Callow said.

CBC News reached out to TransForm about the Daixin-connection and details of the attack, but it said it won’t be commenting further.

Millions of health records stolen, published on dark web
In Dissent’s blog, the group claims the stolen data involves more than 160 gigabytes of 5.6 million records of personally identifiable information and protected health information. The dump also allegedly includes sensitive documents, like scans, from internal servers.

Daixin leaked a portion of the data on the dark web Wednesday evening. It includes scans of patient information like records and claims.

The cybercriminal group also told DataBreaches.net that it has destroyed IT provider TransForm’s backups, though Dissent said it’s unclear whether they have obtained all of the backups.

“Like most ransomware groups now, they both steal a copy of the data … as well as encrypting or locking the computers from which it was stolen,” said Callow.

Daixin allegedly gained access to TransForm’s systems a week before launching the attack on Oct. 23, according to Dissent’s blog.

The cybercriminal group says it took a few hours to gain control of the system. It told Dissent that TransForm had “expensive” software to detect intruders, but claims that similar passwords across administrators made them vulnerable.

In response to Dissent asking whether the group was directly in the hospital’s networks, Daixin is quoted as responding with, “The networks were completely transparent — we could go anywhere.”

Daixin told Dissent that TransForm knew the cost of the ransom on the second day of the attack, but it wouldn’t reveal that amount to Dissent.

According to Callow, ransom demands can range from thousands to multiple millions of dollars.

“In this particular incident, I would be surprised if they were asking for less than $1 million.”

Hospital pleads to be left alone in alleged messages to cyber group
In a screenshot that Daixin sent to Dissent that is now published on their blog, the cybercriminal group can be seen messaging with “Bluewater Health and others.”

In the message, the hospital’s negotiator says they are trying to restore their operations and will recover from this. It says the hospital cannot pay and adds “but please know this: cancer treatment is being cancelled. Surgeries are being postponed. Our patients are hurting.”

The hospital pleads with the “admin” user and asks that they “delete the data and leave us alone.”

In response, Daixin says the hospital will end up paying more money to restore their systems than what it would cost to just pay the ransom.

“Either way — we’re not upset, we’ll pour your data into our leak site after the timer expires,” reads the message from admin.

According to Callow, even if institutions pay the ransom, “the recovery process isn’t streamlined and isn’t necessarily quick and easy.”

When asked whether paying a ransom would make it more likely that TransForm would be hit with another cyberattack in the future, Callow said that’s not accurate.

“The hospitals are absolutely making the right decision not to pay,” he said.

“Ransomware attacks happen for one reason and one reason only, and that is that they are profitable. If other organizations took the same stance as the hospital and refused to pay, there’ll be no more ransomware.”

Dissent told CBC News this situation is not uncommon and the lack of sympathy is typical.

“They’ll say, ‘It’s just business,’ and they’re not really feeling badly for patients whose data are stolen or exposed or patients whose appointments have to be rescheduled because of the disruption to services,” they said.

Windsor Regional says recovery will take weeks
During Musyj’s report to hospital board members, he noted the past 11 days have been a test to patients, community and employees, but said it’s a test his staff are passing and applauded the hard work that staff are doing to keep the hospital afloat.

Despite the digital disruptions, Musyj said not one ambulatory surgical procedure was delayed from the beginning and scheduled surgeries are close to being fully back on track.

He added the focus is on cancer patients and getting radiation treatments safely up and running, noting they are making progress on this.

Musyj said the hospitals are working with leading cyber experts and Ontario Health to get themselves in a place of stability.

No hospital board members asked questions about the attack. CBC.ca