The University Hospital New Jersey (UHNJ) in Newark (New Jersey) has finally paid a $670,000 ransom to prevent the publishing of 240 GB of stolen data, including patient info.
In September, systems at the University Hospital New Jersey (UHNJ) were encrypted with the SunCrypt ransomware, threat actors also stolen documents from the institution and leaked a small portion of them online.
The UHNJ is a New Jersey state-owned teaching hospital with over 3,500 employees that was established in 1994. The hospital has a $626 million budget with over 172,000 annual outpatient visits.
SunCrypt ransomware operators first appeared in the threat landscape in October 2019, and over the past few months, they launched a dedicated leak site where they started publishing the data stolen from the victims.
BleepingComputer first reported the attack on the UHNJ, the SunCrypt Ransomware leaked a 1.7 GB archive containing over 48,000 documents, they claimed to have stolen 240 GB of data.
“This data leak includes patient information release authorization forms, copies of driving licenses, Social Security Numbers (SSNs), date of birth (DOB), and records about the Board of Directors.” reported Bleeping Computer.
A BleepingComputer’s source informed about the incident revealed that an employee of UHNJ was infected with the TrickBot trojan at the end of August before the ransomware attack took place.
The hospital contacted the ransomware operators via their Tor payment site, according to BleepingComputer the initial ransom demand was $1.7 million. Anyway, the threat actors were open to a negotiation of the ransom “due to COVID-19 situation.”
“We want to prevent any further leakage of our data and that is why we are here talking with you,” UHNJ told the ransomware operators.
The two parts finally agreed to pay a ransom of $672,744, approximately 61.90 bitcoins on September 19th.
SunCrypt ransomware operators provided to the University Hospital New Jersey a decryptor, the stolen data, a security report, and an agreement not to disclose any stolen data or attack UHNJ again.
The report states that the entry point was a phishing email that tricked an employee into providing the network credentials that allowed the attackers to log into UHNJ’s Citrix server and gain access to the network.
(SecurityAffairs – hacking, University Hospital New Jersey)