An email DataBreaches received yesterday from an unrecognized account contained just one line – a link to a new listing on the D#nut Leaks ransomware group’s leak site about Montgomery General Hospital (MGH) in West Virginia. MGH is part of the Montgomery General Health Care System, Inc., which includes the hospital, Montgomery General Elderly Care, Montgomery General Extended Care, and Montgomery MedCorp, Inc.
But D#nut Leaks had done more than add MGH’s name to their leak site. They had also dumped files from the hospital.
DataBreaches replied to the person who had emailed the link. Unsurprisingly, they were a D#nut Leaks member, and they confirmed that their group had locked some of MGH’s files in an attack early in March. When DataBreaches asked how they gained access to MGH, the spokesperson answered, “via Microsoft Exchange exploit.”
Victims often do not respond to ransom demands or contacts from their attackers. In this case, MGH reportedly responded, and D#nut Leaks shared some chat logs with DataBreaches.
The chat began on March 5 when someone showed up claiming to be a member of MGH’s executive team. D#nut’s negotiator (“d0nut”) told MGH:
We are here to inform you that we have infiltrated your network and stayed there for 3 days (it was enough to study your documentation and gain access to your files and services). Also we have downloaded personal data related to your patients, employees and management. Since your business provides critical services and its infrastructure necessary for ordinary people health, we decided not to crypt or damage your network. But we still have downloaded sensitive data from there, so we could make a deal. We know that your IT team found us in your network, also we know that they installed Sentinel Antivirus to resist us. After few hours we removed this AV. At this point we made a decision not to damage your network, but to discuss this situation with your administration and negotiate about sensitive data we own from your network
d0nut also told the MGH negotiator that they wanted $750,000 for a decryptor and deletion of exfiltrated files. MGH was provided a partial file tree and the ability to decrypt a few files for free as proof.
From the hospital’s site: “Montgomery General Hospital is a 25 bed critical access facility that provides care to over 1,000 inpatients, 40,000 outpatients, and care for over 10,000 emergencies on an annual basis. Montgomery General Hospital serves as a general acute care hospital to Fayette and surrounding counties in the state of West Virginia.”
MGH did not make any counteroffer but asked for more information (an entire file tree and not just a partial one), a lower price, and more time. As we have seen in other cases, the hospital stated that as a non-profit, they could not afford what was demanded. The negotiator said they also had to go through specific processes to get board approval for expenses above a certain amount. There was no mention of any cyberinsurance.
After some back and forth over time, D#nut Leaks’ negotiator appeared to lose patience after MGH reported the results of one board meeting but stated there would be another board meeting the following week:
The board meeting went well last night, they had a few questions about the data that was taken and we have sent that to the board for their review. We will follow up next week once we have approval from them to make an offer.
“Please give us your offer on Monday. We couldn’t wait for you forever,” D#nut’s negotiator responded.
Although MGH’s negotiator insisted they were trying their best, they did not make any counteroffer, and on March 31, 26 days after negotiations started, D#nut Leaks dumped the data.
DataBreaches contacted MGH via its website contact form yesterday and emailed Denzil Blevins, their CIO. No replies were received.
The data leak
DataBreaches has not reviewed the entire leak but has seen employee-related files with personnel and payroll information for former and current employees, such as Social Security numbers, pay rate, etc., patient files with medical histories, diagnoses, treatment plans, test results, and health insurance billing records with policy information, dates of services, CPT codes, and amounts charged. No large employee-related or EMR databases were seen in the cursory review of files.
DataBreaches will continue to monitor the situation, but it is already clear that MGH will have some notifications to make to employees, patients, and regulators.
Update: Marianne Kolbasuk McGee has a good update with the hospital’s response and notification plans. Read more at BankInfoSecurity.