Fraud Management & Cybercrime , Governance & Risk Management , Healthcare
Embargo Ransomware Gang Sets Deadline to Leak Hospital Data
Georgia-Based Memorial Hospital and Manor Among Embargo Group's Latest VictimsEmbargo, a relative newcomer group to the ransomware scene, is threatening to begin publishing 1.15 terabytes of data belonging to a small rural Georgia hospital and nursing home attacked last week unless a ransom is paid before Tuesday.
See Also: Using the Netskope HIPAA Mapping Guide
The cybercrime group on its dark web site on Monday ticked off a countdown in hours and minutes for leaking the trove of data allegedly stolen from Memorial Hospital and Manor, an 80-bed community hospital and 107-bed long-term care facility, along with Willow Ridge, a 22-bed personal care facility, which is owned and operated by the Hospital Authority of the City of Bainbridge and Decatur County.
The attack locked up Memorial Hospital and Manor's IT systems, including EHRs and email, on Nov. 1 after employees detected the incident, Jamie Sinko, a Memorial Hospital and Manor spokeswoman, told Information Security Media Group last week (see: Attack Hits Small Rural Georgia Hospital, Nursing Home).
Memorial Hospital and Manor did not immediately respond to ISMG's requests on Monday for an update on the IT outage, and for comment on Embargo's data web site threats to leak the organization's data.
The hospital also appears to have removed a Nov. 1 post from its Facebook page alerting the community that was dealing with a ransomware attack that impacted access to its electronic health records and other IT systems.
Besides Memorial Hospital and Manor, Embargo's blog site lists at least eight other alleged victims, including one other healthcare sector organization - Weiser Memorial Hospital in Idaho - claiming it has 200 gigabytes of the community medical center and family medical practice's data "available" for purchase.
A Weiser Memorial Hospital spokesperson declined ISMG's request for comment on Embargo's claims, saying that the hospital's investigation "is ongoing."
Embargo lists an assortment of other victims in the U.S, Australia and Europe. That includes the Summerville Police Department in South Carolina, a Michigan county government, a German supply chain services company, a non-lender bank in Australia.
Embargo, which first surfaced in the spring, on its website describes itself as "an international team without any political affiliations." But some security researchers say the gang appears to be sophisticated and well-resourced, and likely operating as a ransomware-as-a-service provider.
The group pressures victims into paying ransoms by using double extortion - exfiltrating victims’ sensitive data and threatening to publish it on a leak site, in addition to encrypting the data, said researchers at security firm ESET in a report late last month.
ESET said it recently discovered new tooling leading to the deployment of Embargo ransomware. The new toolkit consists of a loader and an endpoint detection and response killer, which ESET dubbed named MDeployer and MS4Killer, respectively (see: Embargo Ransomware Disables Security Defenses).
The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure, ESET said. "We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution," the report said.
"MS4Killer is particularly noteworthy as it is custom-compiled for each victim’s environment, targeting only selected security solutions," ESET said.
"The malware abuses Safe Mode and a vulnerable driver to disable the security products running on the victim’s machine. Both tools are written in Rust, the Embargo group’s language of choice for developing its ransomware," ESET wrote in the report.
BlackCat and Hive are among other cybercriminal groups also developing ransomware payload in Rust, ESET said.
ESET suspects that recent law enforcement crackdowns affecting groups including BlackCat and LockBit triggered some reorganization in the RaaS space, including fueling the emergence of new threat actors such as Embargo (see: RansomHub Hits Powered by Ex-Affiliates Lockbit, BlackCat).
Meanwhile, on Friday, Biden administration official Anne Neuberger during a briefing to the United Nations Security Council called ransomware a public health crisis that is not just a cybersecurity problem (see: White House Slams Russia Over Ransomware's Healthcare Hits).
Neuberger, deputy national security adviser at the White House, accused Russia of allowing "ransomware actors to operate from their territory with impunity, even after they have been asked to rein it in." The attacks, which have disrupted the delivery of patient medical care in the U.S. and elsewhere, are direct threats to public safety, endangering human lives, she said.