SCOOP: UnitingCare paid hundreds of thousands of dollars to REvil for decryption key and deletion of files

On April 25, UnitingCare Queensland (UCQ) was the victim of a ransomware attack that impacted multiple Queensland hospitals and aged care centres. The next day, they posted a notice on their web site informing people as to what was happening and its impact. And on May 5, they posted a second update where they revealed that it was REvil (Sodinokibi) threat actors who had attacked them. That update described steps they had taken since the incident to safely recover and restore services. They also noted: With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached. This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators and other stakeholders. But their subsequent (and most recent) update of June 10 provided no update on whether they had determined whether any patient, employee, customer, or vendor data was exfiltrated or compromised. Nor did they disclose whether UnitingCare paid any ransom demand. DataBreaches.net can now report that UnitedCaring has reason to believe that patient data and personal information were compromised. And this site can now report that UnitedCaring paid REvil ransom to get a decryption key and to get assurances that all files would be deleted.  UnitedCaring did not pay as much ransom as the threat actors originally demanded, but they did pay hundreds of thousands of dollars. The following is based on a copy of ransom negotiations between REvil and someone representing UnitingCare who claimed to be “Ryan” from IT. Whether he really is named Ryan and is really part of IT or was a hired negotiator is unknown to DataBreaches.net. During the course of the negotiations, REvil provided some proof of claims to UnitingCare that included files with patient information and personal information, such as a list of files that contained copies of passports for named individuals. Another file contained narratives of mandatory reportable incidents on named patients. When UnitingCare’s negotiator asked to see specific files referenced in the proffer of proof, REvil provided them. Those files should have subsequently been deleted in their entirety following the ransom payment, yet DataBreaches.net found that those files are still available online. Does UnitedCaring know that?  When negotiations began, REvil’s negotiator/support person indicated that they would give a 20% discount for quick payment. “Ryan” said that was still unworkable fo them and offered $195,000. Unsurprisingly, REvil rejected it outright. “What do you propose then?,” Ryan asked. “Please understand the circumstances we are in. Everything is shut down, we can’t help our patients. Everyday we are down, the worse off we are. We need to purchase the tool quickly and in good faith, already hired a broker in the US to assist us and sent him some funds so he can buy crypto quickly for you.” REvil’s answer was not what Ryan likely hoped for: “We have been administrators of your network for a long time and we know how much you are willing to pay. Our latest offer is 700k but that’s all.  Our servers have hundreds of gigabytes of your confidential data. You must understand the seriousness of the situation.” Eventually, after a lot of back-and-forth negotiations, REvil agreed to accept $300,000, but then pointed out that was for payment by Monero and payment by BTC would tack on an extra 10% for the processor. That resulted in more negotiations, with Ryan asking: “Why do you ask for payment in a currency the US can’t pay ?” “If you keep asking stupid questions, you will be banned from this chat,” REvil replied. “Either you pay, or we publish your data in the media with the subsequent sale, you must pass this information to your boss.” Ryan also asked whether REvil would provide them with a copy of the files before they deleted them. REvil refused, stating: “We provide a complete file tree for complete confidentiality after payment arrives at our account, the data is automatically deleted along with the server.”  As he also reiterated that after payment, UnitingCare would receive: – Universal decryptor for your all network – The complete deletion of all your files with our warranty not to use the data for any purpose. – 100% confidentiality of this incident and all terms of the transaction on our part. – Complete audit of your network to prevent similar attacks in the future [Well, we can already see that the second and third promises were not fully kept as DataBreaches.net found some of the files still online and was able to find the terms of their negotiations, etc.] Ryan pressed to get the actual files in addition to the file tree: “We 100% would like the file tree before you delete the files. But if there is any way we can download the files before you delete them, that would be preffered. Is that possible at all?” And that’s when REvil had the absolute chutzpah to respond: “No, this violates our privacy policy. Only file tree” I’ll let that sink in for a minute. Not only does the support person claim that REvil has a privacy policy, but he claims that it prevents them from giving their victims copies of their own files. [In preparing this story, I did try to find a Russian translation for “chutzpah,” but like many Yiddish words or phrases, it’s hard to find an exact equivalent.  “наглость” perhaps?] In any event, after payment was made last month, REvil did provide UnitingCare with what they had previously described as “Part of random lines from the tree file.” There were more than 209,000 files listed. Many of the filenames suggested that they contained patient information for named patients. Although REvil assured Ryan that all files had been deleted, the file tree wasn’t deleted and that appears to reveal patient names and other personal information. DataBreaches.net is providing just a small sample from the file tree, and has redacted individuals’ names. Does UnitingCareDataBreaches.netRead More