University Hospital New Jersey in Newark, New Jersey, paid a $670,000 ransomware demand this month to prevent the publishing of 240 GB of stolen data, including patient info. Bleepingcomputer Reported.
The attack on the hospital occurred in early September by a ransomware operation known as SunCrypt, who infiltrates a network, steals unencrypted files, and then encrypts all of the data.
After the SunCrypt operators publicly posted an archive of 48,000 documents belonging to UHNJ, a representative of the hospital contacted the threat actors via their dark web payment portal to negotiate the stopping of any further publishing of patient data.
Paid to protect their patients’ data
In a conversation seen by BleepingComputer between the hospital and the ransomware operators, we get a glimpse into the strangely cordial negotiation of a criminal ransom demand.
After a sample of the hospital’s private stolen data was published on SunCrypt’s data leak site, the hospital contacted the threat actors via their Tor payment site, where they were told that the ransom was $1.7 million. The attackers told them that this ransom, though, “is negotiable due to COVID-19 situation.”
As UHNJ only had two servers encrypted, they were more concerned about the releasing of patient’s data and were willing to pay a ransom to prevent it from being released any further.
“We want to prevent any further leakage of our data and that is why we are here talking with you,” UHNJ told the ransomware operator.
It is not entirely clear what information was contained in the stolen files, but the ransomware operators claimed to have “ID scans, DOB, SSN, illness type.”
After a series of back-and-forth negotiations, they agreed to a ransom of $672,744, or 61.90 bitcoins, and the hospital sent a payment to the given bitcoin address.
The bitcoin blockchain shows that 61.9 bitcoins were sent to the ransomware operation’s bitcoin address on September 19th.
After negotiations were completed, the ransomware operator told UHNJ, “You did a great job too. Our management owes us.”
As part of the negotiations, the ransomware operators agreed to provide a decryptor, all stolen data, a security report, and an agreement not to disclose any stolen data or attack UHNJ again.
According to the security report received by UHNJ, their network was compromised after an employee fell for a phishing scam and provided their network credentials.
