The hackers who shut down systems at five southwestern Ontario hospitals offered to cease the attack — and keep stolen staff and patient information off the dark web — for a ransom payment of about $8 million.
A source with knowledge of the situation confirmed to the Star that the ransom demand, in U.S. dollars, was in the “high seven digits.”
Even after the hackers started posting millions of patient files online, the hospitals and their shared service provider refused to pay the ransom.
Cybersecurity experts say that was the right decision. Brett Callow, an advisory board member with the Royal United Services Institute’s Ransomware Harms project, said outlawing the payment of ransoms would put a quick end to the attacks in many cases.
Florida and North Carolina have already banned public sector bodies from paying ransom demands connected to ransomware attacks.
“These attacks are financially motivated,” said Callow, whose work with the institute includes examining the impact of ransomware on victims. “If they cannot monetize them, there will be no attacks. It doesn’t have to be an all-or-nothing scenario either. Restricting the circumstances in which organizations are permitted to pay could have an impact, too. That could make Canadian organizations less attractive targets.
“Lots of organizations pay when they don’t absolutely need to.”
The ransomware attack targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital. The hackers also hit TransForm Shared Service Organization, which runs supply and technology systems for all five hospitals.
It’s unknown exactly how long the hackers were in the organizations’ systems, but the attack was detected on the morning of Oct. 23.
The criminals infiltrated the hospitals’ technology systems, then blocked their access to Wi-Fi, email, and patient information systems. Some information from all five hospitals was stolen, but Bluewater Health was the hardest hit.
The Sarnia hospital has confirmed the hackers stole a database report containing information about every patient of Bluewater Health or its predecessor institutions since February 24, 1992.
The breach at Bluewater Health alone amounts to about 5.6 million records pertaining to roughly 267,000 people. The hospital said the stolen data included social insurance numbers for about 20,000 patients.
The hackers have already posted at least four rounds of Bluewater Health data on the dark web, with a promise that more is coming.
An infamous organized cybercrime gang called Daixin Team, which emerged around the middle of 2022, claimed responsibility for the sustained attack.
Daixin has previously taken credit for many other similar blackmail attacks against organizations including a German water metering company, low cost airline AirAsia, Missouri’s Fitzbiggon Hospital, and OakBend Medical Centre in Texas.
Canada has yet to outlaw ransom payments. But it is among the 50 members of the International Counter Ransomware Initiative (CRI) that have pledged to never pay ransom to cybercriminals.
Callow said the highest known cyberattack ransom demand on record, against a company called MediaMarkt, was $240 million. The company did not pay the ransom.
The highest ransom demand known to have been paid was $40 million. The victim in that case was a company called CNA Financial.
Given that, Callow said a ransom demand in the $8 million range would not be unheard of.
“It varies massively according to the group and the victim, but that certainly wouldn’t be a surprising amount,” said Callow, also a threat analyst with the cybersecurity firm Emsisoft.
He said the blackmail target and the ransom demand often depend on various factors such as the size of an organization and what it can likely afford, its financial statements, insurance policies, and what criminals can glean from publicly available documents.
“Some organizations are specifically targeted,” said Callow. “But in most cases, the attack starts off random. They send out emails with malicious links, and whoever clicks is the unlucky next victim.”
“Or they were scanning the web and came across a vulnerable Internet-facing server that the organization was running. Or they may have come across access to a hospital that was being sold and decided this was a potentially good candidate. There are numerous ways it could have happened.”
While ransomware attacks are on the rise, Callow said it’s hard to give a definitive number of incidents or confirm if Canadian organizations are more frequently targeted.
“It’s extremely hard to tell how many incidents there are because companies aren’t inclined to come forward,” said Callow. “This is a problem because if policy makers can’t see how many attacks there are, or whether they’re trending up or down, how do they know whether their policies are working?”