Columbus Regional Healthcare System (CRHS) is a non-profit organization in North Carolina licensed for 154 beds. The Daixin ransomware group claims that on May 18, they encrypted the hospital’s servers after exfiltrating data and deleting backups.
A Ransom Demand and Failed Negotiations
A spokesperson for Daixin tells DataBreaches that three days after they encrypted the hospital’s servers, someone showed up in the chat to negotiate. As they have done in the past when negotiations failed to produce an agreement, Daixin shared some of the negotiation logs with DataBreaches. The portion DataBreaches saw was from June 5 – June 6. During that time, the hospital’s negotiator claimed that they just couldn’t get cyberinsurance to pay that quickly and that the amount Daixin was demanding was more than they could afford. When Daixin pointed out that CRHS had a revenue of $101 million, the negotiator responded, “NON-PROFIT means we don’t keep money on our books. ALL of the money gets spent on operating costs. I wish you could understand this a little more.”
In actuality, that explanation has been offered by many victims to Daixin and other groups, and the groups generally aren’t swayed by that at all. DataBreaches has had a number of groups respond that while these victims cry “Non-Profit,” their CEOs are often making huge salaries while not investing much in security at all.
On June 6, after Daixin’s negotiator told the hospital’s negotiator that they would accept $1 million (down from $2 million), negotiations appear to have ended. After telling the Daixin negotiator that they would give them an update the following day, CRHS’s negotiator never came back to the chat.
“But it’s an expected situation,” Daixin told DataBreaches. “They didn’t want to pay from the beginning.” When asked whether they could tell whether the hospital’s negotiator was a professional negotiator, Daixin said they could tell that they were. “Their negotiator acted according to the standard script. But our negotiator liked the way they skillfully disguised themselves as a CRHS employee.”
Daixin tells DataBreaches that they will be leaking more than 250,000 files within the next day or so. They claim to have exfiltrated 70 GB of data.
Easy to Breach
Ironically, perhaps, CRHS had received results in March from a security assessment they had arranged for. The assessment, conducted by Foresight, found a number of critical and high-risk vulnerabilities, and the assessors wrote, “Based on the results from all phases, Foresite rates the overall security posture of Columbus Regional Health Care as Critical Risk.”
“This attack was very simple,” Daixin told DataBreaches, “and if our group had not done it, others would have done it very easily. Columbus Regional Healthcare System knew that their system was critically vulnerable. They were waiting for us. 🙂
DataBreaches asked Daixin for their opinion as to how typical the assessment findings were for a hospital system of that size and how easy or difficult they were to attack. DataBreaches also asked them if they had exploited any of the critical vulnerabilities Foresight had alerted CRHS to. Daixin’s spokesperson answered:
There were a lot of vulnerabilities. If there is a simple way [to gain access] with obvious vulnerabilities, there is no point in using complicated methods. You could have hacked them using the tutorial from YouTube. 🙂
It took one pentester an hour to get full control.
Daixin’s spokesperson also claimed that CRHS had no network anomaly monitoring systems (IPS – IDS systems).
What is in the Leak?
A filelist provided to DataBreaches demonstrates once again that too many entities store old data on servers. The filelist listed more than 11,000 directories and more than 256,000 files. Many of the files related to the Accounting department; there were 1099 forms as well as 1096 forms for 2018 – 2022. Each person or vendor for whom a 1099 form was generated might need to be notified that their SSN or other personal and financial information is being leaked on the dark web.
There also appeared to be a lot of billing and accounting records. But looking at the filelist, it was not clear whether certain files were patient reports or not as the filenames did not always provide any clue what the file contents might be. A number of files were more than a decade old.
While the amount of patient data could not be readily determined from the filelist, some sensitive data was in the sample to soon be leaked by Daixin. The image below is part of a file dated more than 7 years ago about complaints of sexual harassment. In the report, two women’s full names and the male employee’s full name were included. The partial image below was redacted by DataBreaches, but why was such a sensitive personnel file on the server at this point and without even minimal password protection?
CRHS’s Response
DataBreaches sent an inquiry to CRHS asking for their statement about the alleged attack and whether the attack interfered with patient care in any way. DataBreaches also asked whether they had notified any employees or patients whose personal information may have been acquired by the threat actors, although it has only been a few weeks since the attack and it would be understandable if no notifications had been sent yet.
CRHS has not replied as yet. Daixin will soon be adding CRHS to their leak site with a few files as proof. Unlike groups that threaten to leak quickly but then don’t, Daixin usually does leak data quickly after first adding a victim to their leak site.
DataBreaches has previously reported other attacks by Daixin in the healthcare sector including Fitzgibbon Hospital in Missouri and OakBend Medical Center in Texas. CISA published an alert about Daixin in October 2022.
DataBreaches will continue to follow this developing story.
Note: An earlier version of this post incorrectly stated that the listing was already up on Daixin’s site. The preview had been shown to DataBreaches exclusively and was not public at the time this post was published.
Update 8:30 PM: By the end of the day, Daixin had listed the incident and leaked all the data. Preliminary inspection of the leak did not uncover any patient databases, although some patient data was included in other types of files.