A recently emerged ransomware pack claims to person successfully gained entree to nan systems of a US integrative surgeon's clinic, leaking patients' pre-operation pictures successful an effort to hurry a ransom payment.
The group, calling itself Hunters International, has claimed attacks connected only 2 victims truthful far, pinch nan first – a UK superior schoolhouse – appearing earlier this month.
It is simply a really scummy move that I'm sorry to opportunity we will beryllium seeing much and much of
Security experts person linked Hunters to nan shuttered Hive group, which was dismantled done a coordinated world rule enforcement cognition successful January.
After its alleged onslaught connected a US surgeon's clinic, nan group appears to beryllium utilizing a peculiarly fierce maneuver to velocity up ransom negotiations that will apt beryllium perceived arsenic crossing a civilized line, moreover for cybercriminals.
Hunters International shared 4 images of individuals whom it says are patients of Dr Jaime Schwartz – a integrative surgeon pinch offices successful Beverly Hills and Dubai – arsenic "proof" of nan 248,245 files it claims to person stolen from nan clinic.
According to nan group's leak site, it's preparing to nonstop bulk emails to nan clinic's patients arsenic different fearfulness maneuver designed to hasten proceedings.
Posting a follow-up update, nan group published nan names, addresses, photos, and successful immoderate cases videos of alleged patients successful what it's calling nan first of 3 full disclosures.
The session did not respond to The Register's petition for comment.
How debased tin you go...
"It is simply a very low-ball extortion unit maneuver that has been utilized earlier by BlackCat which exposed crab and bosom augmentation photos," cybersecurity expert and interrogator Dominic Alvieri told The Register.
"It is simply a really scummy move that I'm sorry to opportunity we will beryllium seeing much and much of."
The morally questionable maneuver comes a week aft nan BlackCat ransomware group alleged that it would commencement calling patients of a organization infirmary it attacked successful different evident effort to guarantee it secured a speedy ransom payment.
After claiming an onslaught connected Morrison Community Hospital successful Illinois, it said: "Given that we haven't received a clear consequence from MCH representatives, we've decided to merchandise a teaser [sample of data] and initiate diligent calls shortly. The hospital's activity has 48 hours to comply pinch our demands."
Other ransomware groups are keen to show a grade of evident "morality" erstwhile it comes to their targets. LockBit, for example, is among nan astir prolific groups operating presently but has routinely stepped successful erstwhile its affiliates breach organizations it deems ethically off-limits.
Earlier this twelvemonth it apologized for an affiliate's attack connected SickKids, Canada's largest children's hospital, and posted but quickly removed a listing past week for nan Cerebral Palsy Associations of New York State.
"I'd opportunity nan 'line' is drawn by each group," Victor Acin, threat intelligence labs head astatine Outpost24, told The Register. "Some debar healthcare institutions to debar putting successful threat nan life of different quality beings, but others simply spot this arsenic an opportunity they tin leverage to make much money.
"In galore cases, leaks of accusation related to confidential and delicate accusation tin transportation heavier fines for nan breached company, arsenic it implies that they person not taken nan basal measures to unafraid specified delicate information, and truthful it is utilized to compression their targets a spot more."
Rebuilding nan Hive?
Independent cybersecurity researchers person made early links betwixt Hunters International and nan erstwhile Hive group - antecedently 1 of nan astir salient ransomware gangs.
Its leak tract was first spotted connected October 20 by malware expert Andrey Zhdanov, who noted that a Hunters International ransomware sample uploaded to VirusTotal indicated a lucifer pinch Hive's v6 payload.
A abstracted Intezer scan of nan sample from different interrogator revealed codification overlaps pinch nan Hive family and besides SophosEncrypt - a ransomware that intends to mimic nan morganatic information institution Sophos. The aforesaid interrogator said their study indicated a much than 60 percent lucifer erstwhile looking astatine nan codification similarities betwixt Hive and Hunters International.
"On October 20, 2023 a caller double extortion ransomware group calling itself Hunters International was discovered," Zscaler ThreatLabz told The Register.
"Upon further examination, nan ransomware was wished to beryllium based connected Hive (version 6) sharing astir 60 percent of nan aforesaid code.
"In addition, nan ransom statement contained a nexus to a unfortunate ransom portal that has astir identical backend codification to Hive pinch a caller theme. This apt indicates that nan erstwhile Hive ransomware group has either rebranded arsenic Hunters International aliases sold nan codification to different threat group."
Confirming these suspicions, Hunters International issued a connection successful nan early hours of Tuesday morning, denying immoderate links to Hive itself, alternatively confirming that it had bought nan gang's root code.
"We started to spot that personification falsely decided that we are successors of nan Hive ransomware group based connected a 60 percent similarity of encryption code," Hunters International said.
"All of nan Hive root codes were sold including nan website and aged Golang and C versions and we are those who purchased them. Unfortunately for us, we recovered a batch of mistakes that caused unavailability for decryption successful immoderate cases. All of them were fixed now.
"As you whitethorn spot here, encryption is not our superior goal, that's why we didn't do it by ourselves."
- Irish cops information debacle exposes half a cardinal motorist records
- DC elections agency warns full voting rotation whitethorn person been stolen
- Admin down E-Root stolen creds souk extradited to US
- Malware crooks find an successful pinch clone browser updates, successful lawsuit existent ones weren't bad enough
The beingness of codification similarities doesn't ever mean a patient relationship betwixt groups tin beryllium established. In summation to being sold for illustration successful nan lawsuit of Hive, ransomware groups' payloads are leaked often and truthful codification tin beryllium lifted, modified, and utilized by wholly different groups.
For example, Sophos X-Ops precocious thwarted a ransomware attack that sought to utilization vulnerabilities successful WS_FTP, and during its study nan researchers recovered grounds of stolen codification from LockBit's 3rd strain that was leaked past year.
Rather than it being an onslaught started by nan LockBit group itself, nan grounds pointed to a marque new, inexperienced group utilizing nan much established gang's code. ®