Daixin Team is now claiming responsibility for — and leaking data from — an attack that has significantly impacted five Canadian hospitals in Ontario.
TransForm Shared Service Organization provides IT, supply chain, and accounts payable services to Bluewater Health, Windsor Regional Hospital, Hotel Dieu Grace, Erie Shores Healthcare, Hospice of Windsor-Essex, and the Chatham-Kent Health Alliance. According to media coverage and news releases by TransForm, a ransomware attack disrupted the hospitals’ access to Wi-Fi, email, and patient information systems. Surgeries and appointments have reportedly been canceled or rescheduled in some cases, and patients could not be reached by phone to alert them to the interrupted services. Yesterday, CBC reported that radiation treatment for cancer patients was being transferred from Windsor and to other hospitals.
“We continue to work around the clock to restore systems, and we expect to have updates related to the restoration of our systems in the upcoming week,” TransForm said in a statement yesterday, noting that patient and employee data had been taken and were at risk of being exposed or leaked by the threat actors.
Details of the Attack Emerge
DataBreaches can now reveal more details of the attack, as shared with this site by Daixin.
As an overview: the stolen data includes database tables dump of 5.6 million+ records with personally identifiable information (PII) and protected health information (PHI). The dump includes 160 GB of sensitive documents (scan copies) from internal servers. A filelist provides a more detailed picture of what’s in the to-be-leaked data. The first tranche of data leaked tonight on Daixin Teams’ dark web leak site involves scans of patient information that include patient records and claims information.
Here’s what DataBreaches can also report so far (some of which has been confirmed by the victims):
- The attack was on October 23, 2023. As part of the attack, Daixin destroyed backups.
- On October 24, a negotiator entered the negotiation chat room. They were given a list of files and then a few files of their choosing were decrypted as proof that Daixin could decrypt them.
“They knew from the beginning that we had quite a bit of critical data from their internal resources and we weren’t bluffing,” Daixin told DataBreaches. “After much deliberation, they wrote that they were not going to pay.”
In media coverage of the incident, Ann Cavoukian had been quoted as asking a relevant question:
“Sensitive medical data is extremely problematic in the hands of the wrong people. Where I would start is, what is the strength of the security measures these hospitals had employed to begin with?,” said Ann Cavoukian, the former privacy commissioner of Ontario.
“I’m guessing, and I’m saying I’m guessing, I haven’t examined it [but] I’m guessing they weren’t very strong.”
DataBreaches put the question about TransForm’s security to Daixin, who replied:
They purchased rather expensive software to detect intruders. The chief system administrator watched the system on 6 monitors.
At first glance very good all round.
But… the administrators used the same passwords – everywhere! (possibly also on home computers, alarm, phones, etc. )
The mouse cursor on the administrator’s workstation didn’t come to life until an hour later, after all systems had been shut down and encrypted, but not for long – the monitors were switched off and the workstation’s operating system wiped.
We could have been in their system for a very long time and destroyed almost everything – down to the last device (including medical ).
We didn’t do that, we just left.
If paid, they could have all systems back up and running within a few hours.
Daixin declined to tell DataBreaches exactly how they gained access but did state that they gained access a week before they deployed the ransomware and it took them a few hours to take over the system. Given the data theft, they were in the system for several days, during which time they weren’t detected.
When DataBreaches asked them if they were still in TransForm’s system, they replied, “We’ll check it out when they fully restore their system.”
And when asked whether they were directly in the hospitals’ networks, they replied, “The networks were completely transparent – we could go anywhere.” When DataBreaches asked if that was because of password re-use or failure to segment, or some other reason, Daixin answered, “Maybe they had some kind of segmentation, but the fact that even the wifi in the hospitals disappeared after we attacked can speak to its level. The passwords for some administrator accounts across all hospital domains were the same.”
DataBreaches asked Daixin how many files they had encrypted. They replied, “I’m assuming we’re talking about thousands of hosts.”
So how much would Transform have had to pay to get a decryptor and a report on their security to help them identify vulnerabilities that could be exploited again? Daixin didn’t reveal the amount to DataBreaches, but stated that TransForm learned of the financial demands on the second day of the attack. There was some negotiation with BlueHealth, but Daixin’s spokesperson said they didn’t make any counteroffers. “They didn’t bargain. We’ll probably settle for $4 million,” the spokesperson said, and speculated that they might have been banned from paying. When DataBreaches told Daixin that this site was not aware of any law that would ban payment in this situation, they replied, “If they haven’t been banned from paying then they are just really stupid and greedy. In this case, I really feel sorry for their patients.”
“Their costs will far exceed what we demanded,” Daixin added.
DataBreaches has interacted with Daixin in the past when reporting on other attacks of theirs in the medical sector such as Fitzgibbon Hospital, Columbus Regional Healthcare System, and OakBend Medical Center, DataBreaches has also reported on their attacks in other sectors. In October 2022, CISA issued an advisory on Daixin. From past exchanges with Daixin, DataBreaches knew that they would not feel guilty about surgeries or patient care being impacted, although they would not knowingly lock any life-saving devices. Attempts to get Daixin to feel pity or remorse of any kind will totally fail.
In light of the impact the TransForm incident has had on patient care, and despite Daixin saying they really feel sorry for the patients in this case, DataBreaches was not surprised to see that the “Bluewater Health and Others” negotiator had pleaded with them to no avail, writing:
We have strongly considered your demands, but we cannot pay. We have to use our money, all of our money, for our patients. We understand that this will upset you. But please know this: cancer treatment is being cancelled. Surgeries are being postponed. Our patients are hurting. We are doing our best to restore our operations, and we will recover. But this attack has resulted in actual pain and suffering. We cannot pay, and we are asking you to delete the data and leave us alone. Our patients and staff have endured enough.
Daixin answered them, in part, by challenging their claims about costs, but then added:
Either way – we’re not upset, we’ll pour your data into our leak site after the timer expires.
We understand that money is more important to you than patients – we’re alike in that.
Daixin is leaking the data, they say, to make this situation a bad example for their next targets. But they add, “Perhaps we’ll move on to targeted attacks if this https://themessenger.com/tech/ransomware-us-international-hacking-ransom-pledge is real.”
The attempt to get more governments to pledge to ban ransom payments is real but what would it involve and what would happen with hospitals where lives might be lost? Should ransom payments by government hospitals be banned, too, if governments sign a pledge?
There are a number of issues to be considered and worked out, but there is growing support for banning ransom payments, and when asked about the current incident, Brett Callow of Emsisoft commented:
“Ransomware attacks on hospitals have the potential to impact medical outcomes and represent a threat to life – and, unfortunately, we’re seeing as many attacks now as we ever did. I believe that governments need to seriously consider either banning the payment of ransom demands or at least restricting the circumstances in which they can be paid. As current counter-ransomware strategies are very clearly not working, new approaches are needed.”