Business Continuity Management / Disaster Recovery , Governance & Risk Management , Incident & Breach Response

Cancer Charity Latest Apparent Victim of 'TheDarkOverLord'

Server and Backup Wiped Out, But Victim Refuses to Pay Ransom
Cancer Charity Latest Apparent Victim of 'TheDarkOverLord'

A small, Muncie, Ind.-based charitable organization that provides support services, such as free wheelchairs and wigs, to patients undergoing cancer treatment is the latest apparent victim of a hacker identified as "TheDarkOverlord," an extortionist who has been tormenting the healthcare sector since last summer.

See Also: Cybersecurity for the SMB: Steps to Improve Defenses on a Smaller Scale

Little Red Door Cancer Services of East Central Indiana discovered it was attacked the night of Jan. 11 when some board members began receiving "cutesy" text messages from an unidentified party instructing them to check their email, Aimee Fant, the organization's executive director, tells Information Security Media Group.

The next day, the organization realized its server and physical back-ups containing a variety of information, except for details about its clients, were completely wiped, she says.

"All information about our clients is in paper files, including diagnoses," she says. Wiped from the server and physical back-ups was information pertaining to the Little Red Door's operations, including grant documents as well as donor names and contact information, and some details about employees, including the Social Security numbers of six staff members, Fant says.

The attacker, who identified himself as TheDarkOverlord, tried to get the organization to pay a ransom for the return of the data.

At first, the hacker demanded a ransom of 50 bitcoins, valued at about $43,000. Then, the ransom was reduced to about $12,000, she says. "We haven't heard from them since yesterday," she said on Jan. 17.

"The FBI told us not to pay, and we're not going to pay," she says. The attacker has "already posted data on the dark web, and that's already been compromised. Why throw good money after bad?"

The DataBreaches.net blog, which broke the story of the incident, reports that a "spokesperson" for TheDarkOverlord claims that Little Red Door's exfiltrated data hasn't been posted on the dark web.

The charitable organization is working with a provider of cloud services to rebuild its lost data, Fant says. Only about a day's worth of data since the Little Red Door's data was last backed up prior to the attack has been lost and is unrecoverable via the cloud, she says.

"We're not going to replace the [compromised] terminal server, we're keeping data remote, more secure," she says about the efforts to rebuild the lost data and to continue operations post-attack.

"The FBI wants to catch these criminals; they also attacked a local county government, which had to pay to a ransom to get data back," Fant says, referring to a ransomware attack late last year on Madison County, Indiana.

County Attack

The Associated Press on Dec. 7, 2016, reported that Madison County in November paid cybercriminals a $21,000 ransom to unlock data in a ransomware attack affecting 75 county servers and 600 PCs.

Jeff Graham, an attorney representing Madison County, tells ISMG that most of the money spent on the ransom was reimbursed by the county's cyber insurer. Since the attack, the county has also invested in bolstering its data security with automatic, offsite backups "that we didn't have before," he says.

Graham isn't convinced that the attack on Madison County was committed by the same hacker or hackers that targeted the Little Red Door. That's because during the investigation into the Madison County attack, it appeared that "the attackers didn't know what country they were attacking, or whether they were attacking Joe's Pizza or the White House," he says. "But it appears like the attack on [the Little Red Door] was more targeted."

Also, unlike the attack on The Little Red Door, the county's data was encrypted by the hackers, but not deleted or exfiltrated.

Cyber Menace

Beginning in the middle of last year, a hacker calling himself TheDarkOverlord reportedly attempted to sell on the dark web copies of databases stolen from at least three U.S. healthcare organizations and one health insurer containing data on nearly 10 million individuals for prices ranging from about $96,000 to $490,000 in bitcoin for each database (see 4 Stolen Health Databases Reportedly for Sale).

That hacker was operating on the TheRealDeal dark web marketplace, offering to sell "a unique one-off copy" of each of the databases, according to dark net news reporting website DeepDotWeb and other news sites. Some of the data being offered for sale from those attacks appeared to be old, according to news reports.

"Healthcare organizations large and small should understand that ransomware attackers are indiscriminate on who they target," says Dan Berger, CEO of the security consulting firm Redspin. "They have no way of knowing who will and who won't pay - so every organization with protected health information is a potential target."

Keith Fricke, partner and principle consultant at tw-Security, notes: "Hackers do not necessarily discern between large and small organizations. They are out to make money. They may feel that targeting smaller organizations could still prove profitable, even though smaller healthcare organizations have less budget than larger ones. This is because smaller organizations are likely less equipped with the staff and procedures to recover from the ransomware without paying the criminals."

Steps to Take

All healthcare organizations need to take critical steps to defend themselves against attacks by extortionists.

"Frequent and thorough back-ups are essential," Berger says. "It is also important to maintain and isolate the back-ups where they cannot be infected by the same malware that infiltrated the network. In this case, The Little Red Door was fortunate to have paper back-ups but that is less feasible today in larger organizations. Another good suggestion is to run a ransomware practice drill so that you can test your incident response plan."

Fricke says users need to be regularly educated about ransomware and phishing attacks. "Workers need to understand the importance of reacting quickly to signs of ransomware infection by shutting off an infected PC and calling for help as soon as possible," he says.

More to Come?

Extortion attacks on the healthcare sector won't be abating anytime soon, experts warn.

"Healthcare continues to be a target of choice for criminals. Many healthcare organizations do not have the means to fully detect and protect against ransomware," Fricke says. "As long as criminals continue to see ransomware as a viable revenue stream, the attacks will continue."

Also, the widespread use of electronic health records is another draw for hackers, Berger says.

"In the past two years, the black market has been flooded with PHI for sale, and the price per health record has dropped. So instead of trying to sell the information, they try to extract the value from the healthcare organizations themselves by holding data hostage."

But will alleged repeat attackers such as TheDarkOverlord ever be apprehended by law enforcement?

"It is hard to say because it depends on how well this individual hides their tracks," Fricke says. "If TheDarkOverlord operates in a country with whom the U.S. has no extradition treaty, arrest is highly unlikely."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.