Ransomware group strikes second U.S. health care system in the last two months

AvosLocker, a prolific ransomware group that was the subject of a recent joint FBI and U.S. Treasury Department warning, claimed this week that it had hit a Dallas-based nonprofit Catholic health system with more than 600 facilities across four U.S. states, Mexico, Chile and Colombia.

The attack on CHRISTUS Health marks the second health care system AvosLocker targeted in the last two months. Michigan-based McKenzie Health System began notifying customers this week that patients’ personal data had been stolen from the company’s network in a “security incident” that “disrupted” some of its IT systems in March. The company did not identify the attacker, but AvosLocker posted purported McKenzie data to its dark web leak site April 6.

A spokesperson for McKenzie Health System could not be reached for comment.

Katy Kiser, CHRISTUS Health’s director of communications, told CyberScoop Friday that the company’s IT staff learned of “unauthorized access” in one of its regions — which the company refers to as “ministries” — sometime in early May. The company is working with cybersecurity professionals to assess the situation, she said, but so far it appears to be “limited” and said the attack “didn’t impact patient care.”

AvosLocker operates like many other ransomware groups in that it offers ransomware as a service, and works with “affiliates” who target victims and split the proceeds with a core group of developers.

The group was first observed advertising on dark web forums for affiliates on July 4, 2021, according to Palo Alto Networks’ Unit 42. As of March 2022 the group had hit more than 50 organizations around the world, according to a notice posted by cybersecurity firm Hive Pro.

Not much is known about the people behind the group, Brett Callow, a threat analyst at cybersecurity firm Emsisoft who follows the ransomware world closely, told CyberScoop Friday. A notice on the group’s dark web leak site, where the group posts victim data and advertises for new affiliates, said the group doesn’t “allow attacks to post-Soviet Union countries,” but there’s no indication as to the group’s location.

In March the FBI and the U.S. Department of Treasury issued a joint notice about the group with technical details about the group’s ransomware and how organizations can tell if they’ve been hit by the group.

Ransomware attacks targeting health care operators are not uncommon. There have been 254 ransomware incidents targeting facilities providing patient care between June 2020 and April 30 worldwide, according to data collected by the Geneva-based CyberPeace Institute. The organization’s data tracker suggests the incidents occur nearly three times per week in 28 countries. More broadly, the organization’s data counts more than 420 cyberattacks on the health care sector across 37 countries, “which is only a fraction of the full scale of the problem.”

While it’s not fully clear how cyberattacks impact hospitals, a 2021 analysis from the Department of Homeland Security’s Cybersecurity and Information Security Agency found that attacks can lead to patient care issues in the days and weeks after an attack, especially when facilities are already overwhelmed with issues such as COVID-19 care.

There have also been claims that specific incidents have contributed to deaths. A July 2019 ransomware attack on a hospital network in Alabama may have contributed to the death of a newborn, according to a lawsuit filed against the hospital, according to reporting from the Wall Street Journal (the hospital denied any wrongdoing on its part). And in August 2020, a German woman may have died in part because a ransomware attack on a hospital there forced her ambulance to divert to a separate hospital, delaying care — although police couldn’t make a definitive connection.

“Ransomware attacks on health care systems put lives at risk, it’s as simple as that,” Callow said. “And the true impact of attacks on people’s health may not be immediately apparent as delayed care could potentially impact patient’ outcomes weeks, months or even years after the event.”