Oregon Anesthesiology Group (OAG) Say It suffered a ransomware attack in July, resulting in the destruction of sensitive employee and patient information.
The disclosure involved information on 750,000 patients and 522 current and former OAG employees.
The company said in a statement that the FBI contacted it on October 21. The FBI explained that it seized an account containing OAG patient and employee files. Hello Kitty, Ukrainian Ransomware Organization.
The FBI stated that it believes that the organization has used loopholes in OAG’s third-party firewall to allow hackers to gain access to the network.
“Patient information that may be involved in this incident includes name, address, service date, diagnosis and procedure codes and descriptions, medical record numbers, insurance provider names, and insurance ID numbers,” OAG explained.
“Cybercriminals may also have access to data of current and former OAG employees, including names, addresses, social security numbers, and other details on filed W-2 forms.”
The July 11 attack locked OAG out of its servers and forced them to restore the system from a remote backup and rebuild the IT infrastructure from scratch. External cyber security experts were hired to help investigate the attack.
“According to the network forensics report obtained by OAG at the end of November, once cybercriminals enter, they can perform data mining on the administrator’s credentials and access OAG’s encrypted data,” OAG said.
Since then, the company has replaced third-party firewalls and expanded the use of multi-factor authentication. Victims of the incident will receive Experian identity protection services and credit monitoring for 12 months.
OAG added that victims should be aware of scams and urge them to participate in Experian’s IdentityWorks program, which provides up to $1 million in identity theft insurance.
According to OAG, those whose social security numbers have been leaked are urged to create a mySocial Security account with the Social Security Administration, which will allow them to apply for their SSN.
China-Germany Previously reported that the HelloKitty ransomware has been active since at least 2020, mainly targeting Windows systems and using some variants For Linux systems.
There are many HelloKitty derivatives, including New unnamed ransomware variant and Deputy agency.
FBI warning In October about the situation of the organization, and pointed out that the organization is known for using dual blackmail techniques to actively pressure victims.
The FBI stated: “In some cases, if the victim does not respond quickly or pay the ransom, the threat actor will launch a distributed denial of service (DDoS) attack on the victim’s company’s public-facing website.” “Hello. Kitty/FiveHands attackers demand different ransoms in Bitcoin (BTC). These ransoms seem to be tailored to each victim and are commensurate with their assessed ability to pay. If the ransom is not paid, the threat actor will be victimized Publish the user data to the Babuk website (payload.bin) or sell it to a third-party data broker.”
The FBI added that the organization usually uses compromised credentials or known vulnerabilities in SonicWall products. Once they enter the network, they will use publicly available penetration tool suites, such as Cobalt Strike, Mandiant’s Commando or PowerShell Empire, preinstalled with publicly available Tools such as Bloodhound and Mimikatz map the network and elevate permissions before leaking and encrypting.
February, the Group implicated In the high-profile ransomware attack against Polish game developer CD Projekt Red, the company is the maker of popular games such as the “Cyberpunk 2077” and “Witcher” series.
