Article content
The hackers who shut down systems at five southwestern Ontario hospitals offered to cease the attack — and keep stolen staff and patient information off the dark web — for a ransom payment of about $8 million.
A source with knowledge of the situation confirmed to the Star that the ransom demand, in U.S. dollars, was in the “high seven digits.”
Article content
Even after the hackers started posting millions of patient files online, the hospitals and their shared service provider refused to pay the ransom.
Advertisement 2
Article content
Cybersecurity experts say that was the right decision. Brett Callow, an advisory board member with the Royal United Services Institute’s Ransomware Harms project, said outlawing the payment of ransoms would put a quick end to the attacks in many cases.
Florida and North Carolina have already banned public sector bodies from paying ransom demands connected to ransomware attacks.
“These attacks are financially motivated,” said Callow, whose work with the institute includes examining the impact of ransomware on victims. “If they cannot monetize them, there will be no attacks. It doesn’t have to be an all-or-nothing scenario either. Restricting the circumstances in which organizations are permitted to pay could have an impact, too. That could make Canadian organizations less attractive targets.
“Lots of organizations pay when they don’t absolutely need to.”
The ransomware attack targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital. The hackers also hit TransForm Shared Service Organization, which runs supply and technology systems for all five hospitals.
Advertisement 3
Article content
It’s unknown exactly how long the hackers were in the organizations’ systems, but the attack was detected on the morning of Oct. 23.
The criminals infiltrated the hospitals’ technology systems, then blocked their access to Wi-Fi, email, and patient information systems. Some information from all five hospitals was stolen, but Bluewater Health was the hardest hit.
The Sarnia hospital has confirmed the hackers stole a database report containing information about every patient of Bluewater Health or its predecessor institutions since February 24, 1992.
The breach at Bluewater Health alone amounts to about 5.6 million records pertaining to roughly 267,000 people. The hospital said the stolen data included social insurance numbers for about 20,000 patients.
The hackers have already posted at least four rounds of Bluewater Health data on the dark web, with a promise that more is coming.
An infamous organized cybercrime gang called Daixin Team, which emerged around the middle of 2022, claimed responsibility for the sustained attack.
Daixin has previously taken credit for many other similar blackmail attacks against organizations including a German water metering company, low cost airline AirAsia, Missouri’s Fitzbiggon Hospital, and OakBend Medical Centre in Texas.
Advertisement 4
Article content
Canada has yet to outlaw ransom payments. But it is among the 50 members of the International Counter Ransomware Initiative (CRI) that have pledged to never pay ransom to cybercriminals.
Callow said the highest known cyberattack ransom demand on record, against a company called MediaMarkt, was $240 million. The company did not pay the ransom.
The highest ransom demand known to have been paid was $40 million. The victim in that case was a company called CNA Financial.
Given that, Callow said a ransom demand in the $8 million range would not be unheard of.
“It varies massively according to the group and the victim, but that certainly wouldn’t be a surprising amount,” said Callow, also a threat analyst with the cybersecurity firm Emsisoft.
He said the blackmail target and the ransom demand often depend on various factors such as the size of an organization and what it can likely afford, its financial statements, insurance policies, and what criminals can glean from publicly available documents.
“Some organizations are specifically targeted,” said Callow. “But in most cases, the attack starts off random. They send out emails with malicious links, and whoever clicks is the unlucky next victim.”
Advertisement 5
Article content
“Or they were scanning the web and came across a vulnerable Internet-facing server that the organization was running. Or they may have come across access to a hospital that was being sold and decided this was a potentially good candidate. There are numerous ways it could have happened.”
While ransomware attacks are on the rise, Callow said it’s hard to give a definitive number of incidents or confirm if Canadian organizations are more frequently targeted.
“It’s extremely hard to tell how many incidents there are because companies aren’t inclined to come forward,” said Callow. “This is a problem because if policy makers can’t see how many attacks there are, or whether they’re trending up or down, how do they know whether their policies are working?”
twilhelm@postmedia.com
Article content
——————————————————–
Comments
Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.