A security researcher on Monday said the recent ransomware attacks on hospital chains in Florida and Texas are tied to the Conti ransomware gang.
Jamie Hart, cyber threat intelligence analyst at Digital Shadows, confirmed that Leon Medical Centers and Nocona General Hospital were both found on the Conti ransomware data leak site. Leon Medical was posted on December 21, 2020, and Nocona on February 3, 2021.
Hart said the Conti gang reportedly sent malicious phishing emails to Leon Medical in September 2020 and used a Microsoft Server Message Block vulnerability (CVE-2020-0796) to access an admin account. From there, the attackers used the well-known tools BloodHound and Mimikatz to dive deeper into victim networks. The researcher added that the Conti operators updated the post for Leon Medical earlier today and the Nocona General Hospital post on Feb. 3, exposing more data, thus increasing the pressure to pay the group.
The news surfaced late Friday when NBC reported that at least tens of thousands of sensitive medical files were posted to a blog on the dark web that the hackers used to extort the two hospital chains. The files also reportedly include scanned diagnostic results and letters to insurers. One folder reportedly contains background checks on hospital employees and an Excel document has details on patient colonoscopies.
Leon Medical Centers serves eight locations in Miami, while Nocona General Hospital, which has three locations in Texas.
In a statement released Monday, Leon Medical Centers confirmed it was the victim of a cyberattack and portions of its computer network were infected with malware. Leon Medical said on Nov. 9, 2020, it received confirmation that certain files stored within Leon Medical’s environment that contained personal information had been accessed by cybercriminals. It immediately took the systems offline and with the help of cybersecurity professionals launched an investigation.
Leon Medical said that the following types of information may be impacted: name, contact information, Social Security number, financial information, date of birth, family information, medical record number, Medicaid number, prescription information, medical and/or clinical information including diagnosis and treatment history, and health insurance information.
Hart said these incidents reiterate how important it is to follow best security practices, hopefully reducing the likelihood of a successful ransomware attack.
“Phishing is one of the most common ways for attackers to gain initial access,” Hart said. “Employee training on phishing should be a regular occurrence, focusing on basic security practices. Organizations should focus on patching vulnerabilities through a coordinated patching schedule, focusing on high-impact vulnerabilities.”
Efforts to reach Nocona General Hospital were unsuccessful and the hospital has yet to issue an official statement.