After the operators behind the SunCrypt ransomware published nearly 50,000 files stolen from University Hospitals New Jersey (UHNJ), the hospital reached out to the group to negotiate a payment and stop further data from being leaked. Only two servers had been encrypted, so the main concern for UHNJ was to prevent patient information from being released. SunCrypt operators claimed to have IDs, birthdays, SSNs and information on illnesses for patients. The initial ransom demand to UHNJ was $1.7 million but was eventually brought down to $672,744 which was paid in mid-September. Afterwards, the SunCrypt operators agreed not to disclose any further data or attack UHNJ again.
Several ransomware groups have already told Bleepingcomputer that they would not attack healthcare organizations, including CLOP, DoppelPaymer, Maze, and Nefilim. Although the Netwalker group claimed they would not purposefully target them, they stated that anyone infected would have to pay their ransom. When contacted by Dissent Doe of Databreaches.net, the SunCrypt operators responded that they would no longer target healthcare organizations. “We don’t play with people’s lives. And no further attacks will be carried against medical organizations even in this soft way.”
Exposed Remote Desktop (RDP) servers with weak credentials and phishing attempts are still two of the most common ways ransomware finds its way into a network. RDP servers should be placed behind a VPN and RDP Gateway if external access is needed, rather than exposing them directly to the Internet. Strong credentials and multi-factor authentication should be enforced as well. VPN servers should be patched to prevent the VPN itself from becoming the attacker’s entry point. Organizations should also invest in regular security awareness training to teach employees what to look out for in a suspicious email. To protect the organization from data loss, follow the 3-2-1 backup rule. Keep at least three copies of your data. Store the copies on at least two different forms of storage media. Keep one copy offsite. Should ransomware ever encrypt one form of backup connected to the victim machine, recovery should be possible with another safe copy. To keep attackers from stealing patient information or any other sensitive data, strict policies against sending the data by email or storing the data anywhere other than one centralized database should be enforced. The database should be closely monitored for patterns of usage using a baseline of normal user behavior, and any abnormalities such as requesting too many records at once should be quickly investigated.