SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files
On April 25, UnitingCare Queensland (UCQ) was the victim of a ransomware attack that impacted multiple Queensland hospitals and aged care centres. The next day, they posted a notice on their web site informing people as to what was happening and its impact. And on May 5, they posted a second update where they revealed that it was REvil (Sodinokibi) threat actors who had attacked them. That update described steps they had taken since the incident to safely recover and restore services. They also noted:
With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached. This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators and other stakeholders.
But their subsequent (and most recent) update of June 10 provided no update on whether they had determined whether any patient, employee, customer, or vendor data was exfiltrated or compromised. Nor did they disclose whether UnitingCare paid any ransom demand.
DataBreaches.net can now report that UnitingCare has reason to believe that patient data and personal information were compromised. And this site can now report that UnitingCare paid REvil ransom to get a decryption key and to get assurances that all files would be deleted. UnitingCare did not pay as much ransom as the threat actors originally demanded, but they did pay hundreds of thousands of dollars.
The following is based on a copy of ransom negotiations between REvil and someone representing UnitingCare who claimed to be “Ryan” from IT. Whether he really is named Ryan and is really part of IT or was a hired negotiator is unknown to DataBreaches.net.
During the course of the negotiations, REvil provided some proof of claims to UnitingCare that included files with patient information and personal information, such as a list of files that contained copies of passports for named individuals. Another file contained narratives of mandatory reportable incidents on named patients. When UnitingCare’s negotiator asked to see specific files referenced in the proffer of proof, REvil provided them.
Those files should have subsequently been deleted in their entirety following the ransom payment, yet DataBreaches.net found that those files are still available online. Does UnitingCare know that?
When negotiations began, REvil’s negotiator/support person indicated that they would give a 20% discount for quick payment. “Ryan” said that was still unworkable fo them and offered $195,000. Unsurprisingly, REvil rejected it outright.
“What do you propose then?,” Ryan asked. “Please understand the circumstances we are in. Everything is shut down, we can’t help our patients. Everyday we are down, the worse off we are. We need to purchase the tool quickly and in good faith, already hired a broker in the US to assist us and sent him some funds so he can buy crypto quickly for you.”
REvil’s answer was not what Ryan likely hoped for:
“We have been administrators of your network for a long time and we know how much you are willing to pay. Our latest offer is 700k but that’s all. Our servers have hundreds of gigabytes of your confidential data. You must understand the seriousness of the situation.”
Eventually, after a lot of back-and-forth negotiations, REvil agreed to accept $300,000, but then pointed out that was for payment by Monero and payment by BTC would tack on an extra 10% for the processor. That resulted in more negotiations, with Ryan asking:
“Why do you ask for payment in a currency the US can’t pay ?”
“If you keep asking stupid questions, you will be banned from this chat,” REvil replied. “Either you pay, or we publish your data in the media with the subsequent sale, you must pass this information to your boss.”
Ryan also asked whether REvil would provide them with a copy of the files before they deleted them. REvil refused, stating:
“We provide a complete file tree for complete confidentiality after payment arrives at our account, the data is automatically deleted along with the server.” As he also reiterated that after payment, UnitingCare would receive:
[Well, we can already see that the second and third promises were not fully kept as DataBreaches.net found some of the files still online and was able to find the terms of their negotiations, etc.]
– Universal decryptor for your all network
– The complete deletion of all your files with our warranty not to use the data for any purpose.
– 100% confidentiality of this incident and all terms of the transaction on our part.
– Complete audit of your network to prevent similar attacks in the future
Ryan pressed to get the actual files in addition to the file tree:
“We 100% would like the file tree before you delete the files. But if there is any way we can download the files before you delete them, that would be preffered. Is that possible at all?”
And that’s when REvil had the absolute chutzpah to respond:
Only file tree”
In any event, after payment was made last month, REvil did provide UnitingCare with what they had previously described as “Part of random lines from the tree file.” There were more than 209,000 files listed. Many of the filenames suggested that they contained patient information for named patients.
Although REvil assured Ryan that all files had been deleted, the file tree wasn’t deleted and that appears to reveal patient names and other personal information. DataBreaches.net is providing just a small sample from the file tree, and has redacted individuals’ names.
Does UnitingCare know the unredacted file tree is still available online? And that the mandatory reportable incidents file is still available online?
In the U.S., this would all be a reportable breach under HIPAA, but DataBreaches.net does not know AU law on notification requirements.
DataBreaches.net sent a number of questions to UnitingCare yesterday and added additional questions today. As of the time of publication, no response has been received. But DataBreaches.net notes that UnitingCare now claims that it has restored key systems, while not publicly revealing that it had paid ransom to get the decryptor key.[There are many who would disapprove of the ransom payment as it only encourages more crime. There are also many who would understand why a healthcare system would pay ransom and just be glad that they didn’t reveal it so as not to encourage more crime.]
UnitingCare’s last exchange with REvil appeared to be four days ago when Ryan reappeared and started pressing REvil to provide them with an invoice.
Ryan: Can you please provide the invoice??
REvil: We do not issue invoices
Ryan: any other method please?? Please understand I will lost my job.. Higher management is asking for it.
REvil: wait for answer.
Ryan: ok I am waiting. Thanks
Ryan: Please help me fast please it’s a humble request.. Higher management is keep pinging me & asking for it
Ryan: It’s about my job please understand. I don’t want to lose my job. I have my loans and debts which I have to pay. Please help me fast
Ryan: are you there???
Ryan: kindly reply me.. please understand my situation
REvil: wait for answer
That was four days ago. And no, DataBreaches.net has no idea why they would be pressing for an invoice, but if UnitingCare responds to inquiries or would care to explain, this post will be updated.
Post-publication, typos calling the entity UnitedCaring were corrected. Also post-publication, this site received a reply from the corporate communications manager from UnitingCare that said:
Thanks for your enquiry.
Our most up to date statement regarding the cyber incident and our recovery
process is on our website and we have nothing further to add at this stage.