Marco A. De Felice prefaces his reporting on a Ragnar_Locker attack with this message:
For ethical reasons we did not want to spread the news of the attack on the hospital’s IT infrastructure before the news became public knowledge. Indeed, on December 20, SuspectFile had already become aware of the ransom note written by the Ragnar_Locker group.
Kudos to my colleague for his restraint. As he reports, the hospital itself had already issued an alert on its website on November 29, but Marco was privy to other details not yet made public.
On December 20, Ragnar_Locker’s negotiator claimed that the hospital’s SQL database was compromised as well as the personal information of hundreds of thousands of patients and that data could be published very soon on the media.
In another message, Ragnar_Locker claimed that in the event of non-negotiation, they would still be able to encrypt the entire AOAL computer network, which would lead to the blocking of normal hospital operations. As of December 22, they claimed to still have ways of being able to access different hosts and servers.
As is often the case, it is possible to “shoulder surf” certain groups’ chat negotiations, which means that sensitive patient data shared with victims as proof of claims may already be in the hands of any number of people including researchers, journalists, or ne’er-do-wells who intend to leak the data on a hacking forum to try to boost their reputation.
For all of the ransomware group’s efforts, De Felice saw so evidence that the hospital ever replied to the attackers or attempted to negotiate with them. You can read the full SuspectFile post here.