In a second incident by BianLian, the ransomware group has listed California-based healthcare facility St Rose Hospital as its victim. The ransomware gang claims to have access to 1.7 TB of data which includes staff and patients’ personal information.
The post on its dark web forum stated that St Rose Hospital, located in California and a designated cardiac arrest center in Alameda County with a revenue of $100 million, is among their latest targets.
Healthcare sector remains an easy target for hackers, leaving patient data at high risk.
A screenshot of the threat actor’s dark web forum
The threat actor group noted financial, business, and patient data under the description of the information that they possess. They claim to have 195 GB of data pertaining to medical records, and scans of patients at St Rose Hospital. Moreover, emails, project details, accident reports, and building plans are in their stolen data.
Their threat is alarming because of the fact that details of drug overdosing, harassment, phone, and SSN will be released for anyone to see. The post only lists some types of documents they have exfiltrated. However, if the claims are true, they may have a lot more data that is feared to be dumped on the dark web like the data exposed from the systems of Australian insurance giant Medibank this year.
The post ends with the remark, ‘DATA COMING SOON,’ indicating that they will likely leak the said data on their forum soon. The Cyber Express reached out to St. Rose Hospital however did not receive any information or reply yet.
BianLian ransomware group at a glance
Much like the namesake Chinese instant Face-Changing art form, this ransomware group also adds numbers and names to its victim’s lists instantly. They develop ransomware using the adaptable Golang, an open source programming language used for general purpose.
The BianLian victims listed by Cyble shows that the United States of America, the United Kingdom, and Australia have been among their often-targeted nations. This is a financially motivated group.
Industries targeted by BianLian (Source: Cyble)
Upon the successful launching of the ransomware attack, the BianLian ransomware deletes itself and leaves behind the encrypted files on the victims’ system. The group has been known not to leave the ransom sum mentioned on its ransom note.
A sample of the encrypted files (Source: Cyble)
CISA has been urging users to report ransomware attacks and not to pay a ransom. Blackberry researchers have noted some mitigation steps in its blog such as using file carving (D3-FC) to check whether the files are legitimate, file access pattern analysis (D3-FAPA) to see how applications use files, and trying remote terminal session detection (D3-RTSD) to watch for any unauthorized access on the network.
They can also go for file creation analysis (D3-FCA) which is an offensive mechanism that collects data, carries defense evasion, and executes the proxy.