The Oregon Anesthesiology Group (OAG) reported it was hit by ransomware in July, resulting in critical staff and patient data loss. The data breach affects 750,000 patients as well as 522 current and former OAG staff.
According to a statement, the FBI contacted the firm on October 21. The FBI stated that it obtained an account from HelloKitty, a Ukrainian ransomware gang, that contained OAG patient and employee files. The FBI believes the group took advantage of a flaw in OAG’s third-party firewall, allowing them to access the network.
The July 11 attack required OAG to restore their systems from off-site backups and rebuild their IT architecture from the ground up after locking them out of their servers. The hiring of outside cybersecurity specialists aided the investigation into the hack.
Since then, the firm has upgraded its multifactor authentication system and changed its third-party firewall. Experian identity protection and credit monitoring will be offered for 12 months to victims of the event.
The Oregon Anesthesiology Group also advised victims to be on the alert for scammers and enroll in Experian’s IdentityWorks program, which includes up to $1 million in identity theft insurance. According to the OAG, anyone whose social security numbers were exposed should form a mySocial Security account with the Social Security Administration, which will enable them to reclaim their SSN.
The HelloKitty ransomware, according to prior reports, has been active since at least 2020 and mainly targets Windows computers, with some variations targeting Linux systems. There have been other HelloKitty spinoffs, including Vice Society and a new undisclosed ransomware strain. In October, the FBI issued a warning about the organization, stating that it was becoming notorious for using the double extortion approach to pressurize its victims aggressively.
According to the FBI, the gang often exploits compromised credentials or known weaknesses in SonicWall products and once inside the network, they’ll map the network and escalate privileges using publicly accessible penetration tool suites like Cobalt Strike, Mandiant’s Commando, or PowerShell Empire packed with publicly available tools like Bloodhound and Mimikatz before exfiltration and encryption.