Newark-based University Hospital New Jersey (UHNJ) paid a ransom fee of $670,000 to protect 240 gigabytes of its data, said Bleeping Computer. This came after the ransomware group SunCrypt compromised 48,000 UHNJ documents.
The facility was attacked by SunCrypt back in September when it stole unencrypted files and encrypted them. The group was able to acquire these documents by infiltrating the victim’s network.
Upon the public release of more than 45,000 files, the hospital got in touch with the malicious player through its dark web payment portal via Tor. The two parties negotiated the terms in order to prevent other data from being compromised.
Bleeping Computer was able to view communications between UHNJ and SunCrypt and described it as a “strangely cordial negotiation of a criminal ransom demand.”
The hospital told the hackers, “We want to prevent any further leakage of our data and that is why we are here talking with you.” The group claimed that it has sensitive patient info such as ID scans, dates of birth, social security numbers, and illness types.
Initially, the ransom fee was $1.7 million, but the attackers informed the facility that it “is negotiable due to COVID-19 situation.” The two parties settled at $672,744 or 61.9 bitcoins. The facility paid through the bitcoin wallet address provided by the group.
Upon the payment’s completion, the group provided a decryptor to give the facility access to the hacked data, along with a security report and non-disclosure and no-repeat-attack agreement.
As per the report, the network was hacked after an employee provided network credentials after being victimized by a phishing scam.
The credentials were used to log into the Citrix server, which granted access to the network. The ransomware operator did not provide information on which the employee provided the opening for the attack.
Bleeping Computer asked UHNJ for comments but did not receive a reply. Meanwhile, the tech site got in touch with various ransomware groups in March to ask whether they would hack healthcare and medical facilities.
Various operators such as DoppelPaymer, Maze, the CLOP, and Nefilim told Bleeping Computer that they would not attack such facilities. They would also provide free decryption should they mistakenly attack one.
One group, Netwalker, said that no matter the type of establishment, any organization needs to pay for the ransom fee.
After the UHNJ attack, SunCrypt told data journalist Dissent, Doe, that it would not target healthcare facilities for the time being as they “don’t play with people’s lives.”