University Hospital New Jersey in Newark, New Jersey – Paid a ransom of $670,000 demanded by the attacker to prevent from publishing the stolen data of about 240GB, including patient info.
The UHNJ is a New Jersey state-owned teaching hospital with over 3,500 employees that was established in 1994.
The hospital has a $626 million budget with over 172,000 annual outpatient visits.
The hospital was attacked in early September by ransomware operation known as SunCrypt, who infiltrates a network, steals unencrypted files, and then encrypts all of the data.
Notably, The Haywood County School district in North Carolina has suffered a data breach after having unencrypted files stolen during a SunCrypt Ransomware attack. The ransomware attack took place on August 24th, 2020, but at the time the family of malware that infected the school district was not revealed.
Now the attack on the UHNJ, the SunCrypt Ransomware initially leaked a 1.7 GB archive containing over 48,000 documents, and they claimed to have stolen 240 GB of data.
After the hospital’s private data was published on SunCrypt’s data leak site, the hospital contacted the threat actors via their Tor payment site, where they were told that the ransom was $672,744, or 61.90 bitcoins.
The attackers told them that this ransom, though, “is negotiable due to COVID-19 situation.”
According to the security report received by UHNJ, their two servers were encrypted after an employee fell for a phishing scan which was lead to infecting with the TrickBot trojan at the end of August before the ransomware attack took place
“This data leak includes patient information release authorization forms, copies of driving licenses, Social Security Numbers (SSNs), date of birth (DOB), and records about the Board of Directors,” reported Bleeping Computer.
Data breach journalist ‘Dissent Doe’ of Databreaches.net recently reported that they contacted SunCrypt after noticing UHNJ’s data was removed from the ransomware data leak site.
In the conversation with SunCrypt operators, “We don’t play with people’s lives. And no further attacks will be carried against medical organizations even in this soft way,” SunCrypt told databreaches.net.
BleepingComputer made an interesting observation, while Maze denies any link with the SunCrypt gang, the SunCrypt ransomware operators told BleepingComputer that they are part of the Maze gang.
Experts also noticed that systems infected with SunCrypt connect to an IP address previously associated with Maze ransomware operations.
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.
- Consider blocking and or setting up detection for all URL and IP based IoCs.
- Keep applications and operating systems running at the current released patch level.
- Awareness to the employees of Phishing E-Mails.
Indicators of Compromise
MD5 – d87fcd8d2bf450b0056a151e9a116f72
SHA – 148cb6bdbe092e5a90c778114b2dda43ce3221c9f
SHA – 2563090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
URL – http[:]//126.96.36.199/
IP – 91.218.114[.]31