One of the newer ransomware groups to open a leak site is “ThreeAM.” Bleeping Computer recently reported that the ThreeAM malware is written in Rust, and on at least one occasion, researchers discovered that when LockBit failed, ThreeAM (aka 3AM) was successfully deployed. Symantec has more details on the malware and the group’s methods.
ThreeAM caught DataBreaches’ eye because one of the victims on their leak site is Visiting Physician’s Network (VPN) in Texas. The medical practice appeared to have been added on or about September 4.
In this case, the listing also indicates that the threat actors have leaked 85% of the files they acquired and that 272 people have viewed the listing. The listing also shows that they acquired patient chart scans, divided into three groups of folders by patients’ last name. The listing doesn’t indicate how many people may have downloaded or viewed the scanned files.
When expanded, each of the three parts of the leak contained folders on numerous patients. The first part, for example, has folders for patients whose last names began with A-I. There are almost 1,160 patient folders in that one part, and for every patient, there are multiple files — usually from 2016 or 2017. The following image, redacted by DataBreaches, shows a number of files for one patient. Every filename begins with the patient’s first name and last name — a system used for all their patient records in these directories.
Some patients had many more files than others. Most filenames included not only the patient’s name, but a date, and something describing the nature of the information in the file. For many files, the purpose appeared to be related to prescriptions, lab results, consent, or other issues. Some files, when examined, were multi-page files with detailed medical histories, demographic information, and social histories as well. All of this is considered protected health information (PHI) under HIPAA.
On September 15, DataBreaches reached out to VPN via their website contact form. No reply was received. A second inquiry was sent today, requesting that they answer some questions via email or telephone. No reply has been received, though.
Based on prior reports about ThreeAM, DataBreaches sent them some inquiries on September 16. They replied today, responding to the first question by saying that they had checked VPN’s security three weeks ago, and had locked it and “unloaded all their data.”
Not responding directly to another question about how much money they were demanding, they replied, “This is sensitive information, but we never ask for more than companies can pay for our services.”
DataBreaches also asks ransomware groups whether their victims have responded at all to any demands. In this case, ThreeAM replied that VPN was “…very negligent with their security and lost data, their customers and employees data. (sic) They have not been in touch.”
ThreeAM declined to offer any other information or comments about the incident, but did state, “We want you to know that we are not extortionists as we are now commonly called on the internet, we are a team providing network security services to companies and we ask for a token amount for our work, after which we explain in detail all their problems and vulnerabilities in the network so that they are never exposed again. All the data of the companies that have cooperated with us will never leak into the network.”
DataBreaches genuinely has no idea whether these ransomware groups harbor any hope that anyone will believe that they are not extortionists when they are holding data or a decryption key hostage.
More importantly, there is no notice on VPN’s website and they have not responded transparently to inquiries. VPN is still within the “no later than 60 days” deadline for notifying HHS and patients as specified by HIPAA. But the fact that they have not posted anything on their site at all to alert patients that not only has their sensitive data been stolen but is already being freely distributed on the dark web is concerning.