An agency that administers dental benefit plans for Alberta’s disabled children, seniors and low-income residents has paid the 8base ransomware gang an undisclosed amount of money after the crooks showed they had deleted the data the group stole in a recent attack.
The independent not-for-profit Alberta Dental Services Corp. said Thursday that on July 9, an attacker encrypted some of its IT systems and data, rendering them temporarily inaccessible, after accessing the IT network and copying data of about 1.7 million people sometime after May 7.
“Fortunately,” the corporation says on its website, “we were able to recover the affected systems and data from backups with only minimal data loss.”
Corporation president Lyle Best said in an interview today that the payment was made as part of negotiations between the organization’s cyber insurance provider and forensic investigator. The gang showed proof the data was deleted as part of the deal.
Data of about 1.47 million individuals was seen, some or all of which was copied. Of that, about 7,300 records contained personal banking information from people who provided their banking details to the corporation.
Impacted Albertans will be contacted directly and provided with important tips on how to further safeguard their personal information. Those whose personal financial data was impacted will be offered complimentary credit monitoring.
Asked how an attacker was able to get past IT security controls, Best said “the early indication is somebody opened a phishing email.
“They encrypted the pathways to our data, which was a pain in the ass. But we had good backups, so we just backed up and put it on different servers and made sure they were not on any networks.”
“We have a product called Quikard,” which administers health spending accounts for employers across Canada and is separate from the Alberta government programs. “It appeared to us at the time that it was only the Quikard data that had been breached. It wasn’t for weeks that we discovered they may well have had access to look at the [Alberta] government stuff.”
8Base “did encrypt some files, and they showed us proof they’d done that. And then ultimately they showed proof they deleted it” after getting a ransom payment.
The incident has been reported to the RCMP and Edmonton police, Best said, so he can’t divulge the amount of the ransom payment. The attack has also been reported to the provincial information and privacy commissioner.
An independent company did a cybersecurity audit of the corporation late last year, Best said, finding “one or two vulnerabilities on a portal we use for development. Other than that we were solid.”
When it was suggested the security wasn’t solid, Best said, “against a phishing email you can only protect so much. Obviously, we’re going to be chatting with the people who did the pen testing. It [ransomware] just seems so epidemic in the world right now, especially in Canada.”
Asked in hindsight what could have been done to prevent the attacker from getting on the IT network or to have prevented the attack from spreading, Best replied, “We do train all of our staff to be vigilant about these phishing emails. Our IT department are always testing our staff on these things. I guess one of the things we learned is we probably don’t need to digitize as much stuff as we do. We don’t need to have as much on some of the network drives. For example, we have files going back to 2007. We don’t really need those. There’s work to be done so we have just the data we need.”
Paying a ransom to have data deleted makes little sense, said Brett Callow, British Columbia-based threat analyst for Emsisoft. “There is absolutely no way to know for sure that it has been or will be deleted, and organizations simply have to trust that the criminals will be true to their word – emphasis on the word ‘criminals.’ Unsurprisingly, this is not always the case. Some organizations have been extorted for a second time after paying a ransom with the data that was supposedly deleted being released online after they refused to pay for a second time. What paying does do, however, is to keep the ransomware ecosystem profitable and ensure the attacks keep on coming.”
The corporation administers Alberta dental benefits through the Dental Assistance for Seniors Program (DASP) and through Alberta’s Low-Income Health Benefits Program, which includes Assured Income for the Severely Handicapped (AISH), Alberta Adult Health Benefit, Alberta Child Health Benefit and Income Supports.
According to VMware, the 8base gang started in March, and apparently finds victims opportunistically rather than targeting them. “The speed and efficiency of 8Base’s current operations do not indicate the start of a new group but rather signify the continuation of a well-established mature organization,” VMware says.
That group may be RansomHouse, the report says, with which it shares a number of similarities in terms of tactics. In one case, the ransom note of 8base was a 99 per cent match with a RansomHouse ransom note. So are the two groups’ Terms of Service and FAQ pages. On the other hand, RansomHouse uses a wide variety of ransomware available on dark markets and doesn’t have its own signature code.
(This story has been updated from the original with the addition of comments from Brett Callow)