Here's How a Hacker Extorts a ClinicThe Unsettling Tale of How 'The Dark Lord' Shakes Down Targets
Security experts are sounding alarms about extortion attempts, where hackers steal data and then threaten to publicly release it unless a fee is paid. Unlike attacks involving file-encrypting ransomware, these kinds of incidents don't result in total system blackouts, which in recent months have forced hospitals and universities to reveal their woes.
See Also: What is next-generation AML?
The following is an unsettling tale told from an inside view - that of the hacker who is claiming to have breached several healthcare organizations (see 4 Stolen Health Databases Reportedly for Sale on Dark Web).
"I do not feel bad or guilty about any of this," the hacker says. "If anything, I am furthering the enhanced security and development of new protections."
The hacker, going by the name The Dark Lord, is offering for sale healthcare databases on the The Real Deal underground market on the dark web. I decided to communicate with the person claiming to be this hacker in an effort to help shed light on his tactics so as to help others avert breaches.
For the last two weeks, I've been in intermittent contact with the apparent hacker, who has described to me how he accomplished the alleged breaches, including a very detailed description of an ongoing extortion attempt against one clinic.
It's important to keep in mind that it is difficult to verify many elements of what the hacker says. We've chatted five times since June 15 over encrypted instant messaging, and his identity is unknown to me. He's also apparently been talking to several other publications, trickling out details of his escapades.
I'm going to focus on one of his alleged hack attacks, which targeted a small orthopedic clinic in the United States. I'm not naming the clinic, which likely has reached out to law enforcement and is scrambling to figure out how to deal with the extortion demand.
Details of a Clinic Hack
The hacker claims he has copied all of the clinic's Microsoft Access databases, which contain sensitive identification and medical data. He asked the clinic to pay 250 bitcoins - about $165,000 - by July 8 or otherwise he will publicly release it. He's since dropped the price to 60 bitcoins, or $39,460, on his advertisement on The Real Deal.
"I do not feel bad or guilty about any of this," he told me in a chat on June 17. "If anything, I am furthering the enhanced security and development of new protections."
The hacker shared with me 47,865 records he claims he obtained from the clinic's network. Those records include, for example, names, full addresses, birth dates, Social Security Numbers, marital status and phone numbers.
He also sent a select batch of PDFs containing scans of driver's licenses and insurance cards, the scans of which for some show crumpled corners from being stored in wallets. The insurers include Medicare, UnitedHealthcare, BlueCross BlueShield, Monitor Life Insurance Co. of New York, Humana, Mutual of Omaha Insurance Co., and Coventry Health Care, among others.
Other screenshots he provided of the clinic's system showed database tables that read "LabTests," "DeniedClaimsTracker" and "Dialysis."
Medical records are highly sought after by hackers. The records often contain not only the usual information that can be used for identity theft, but also a trove of highly personal data, such as medications, diagnoses and even illnesses that are common throughout a person's family.
Reaching Out to Victims
To help determine whether the hacker's data is valid, I reached out to several individuals whose data was in the batch of data the hacker provided.
One man, whose driver's license scan is included in the batch, confirmed to me in a phone call that he had visited the clinic about two months ago. He also says his Social Security number and birthdate, included in a separate file, were also accurate.
I reached several other people with information in the hacked data, most of whom have addresses in the general region of the clinic. Justifiably, many were wary of a journalist reciting their Social Security numbers over the phone, and some were quite confrontational. After I spoke to one man, his furious wife called me back and asked, "How do I know you're not the hacker?" Fair question.
Some people refused to confirm their information, while others were more accommodating. One man said his Social Security number and address were correct but his birthdate was wrong, which could be due to a data entry error. Many phone numbers listed in the batch of hacked data were also disconnected. The hacker says the records date back to when the clinic opened in 2001, so it's likely many addresses and phone numbers are inaccurate.
The hacker tells me he is trying to obtain a ransom from the clinic. In mid-June, he sent a chilling ransom letter by email to the clinic's founder, which he provided to me. The ransom note states: "We have hacked your network and we have everything, including your valuable electronic patient records." The letter is more than 2,000 words long, names family members of the clinic's founder and includes some of their Social Security numbers.
"Remember that because we are honest people, nothing will happen to you or anyone you know if you comply with our demands," the note reads. "Oh and by the way, we advise that you keep all of this to yourself for you and your loved one's sake."
So how does the alleged hacker say he breached the clinic? He tells me he knows of a zero-day vulnerability (one for which there is no software patch from a vendor) in Remote Desktop Protocol, which ships with Windows computers and servers. RDP is incorporated into a variety of remote access client programs.
A zero-day vulnerability in RDP would be highly valuable in the cybercriminal underground, but I question whether the hacker is telling the truth. He has not described how he discovered the RDP zero-day flaw or obtained it.
"I can get in about any network running RDP client," he claims.
A more plausible explanation is that the clinic might have left an RDP client open to the Internet. If that happened, it would be possible for the hacker to brute force his way in by trying many combinations of login credentials or by using stolen credentials that were recently available for sale on the dark web (see Xdedic: What to Do If Your RDP Server was Pwned).
Clinic Officials Not Talking
I called the clinic and spoke with the practice manager. She said she'd pass along my details to the clinic's attorney, who has not been in touch. Efforts to reach the clinic again have been unsuccessful.
Even if an organization pays a ransom, there's no real guarantee that the hacker will delete the data. For what it's worth, the hacker told me he keeps all of his pilfered data in separate containers using Veracrypt, an encryption utility based in TrueCrypt.
"If they pay the ransom, I destroy the data," he says.
If the hacker decides to publicly release the data after the ransom deadline expires on July 8, it means that some of the affected patients could be at risk of identity theft and other fraud. The clinic also is obligated to report the breach under the federal HIPAA breach notification rule.
I'll be monitoring this story as it continues to develop.