Fraud Management & Cybercrime , Healthcare , Industry Specific
McLaren Health Hit With Ransomware for Second Time in a Year
Clinicians Say Current Hack More Disruptive Than 2023 AttackMichigan-based McLaren Health Care is dealing with its second cyberattack in less than a year, disrupting IT systems and patient services at its 13 hospitals and other medical facilities.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The INC Ransom group claimed credit for the latest attack, which McLaren detected on Tuesday. A photo of the alleged INC Ransom's ransom note taken by a McLaren worker earlier in the week was posted on X, formerly Twitter.
Last year, Russian-speaking ransomware gang BlackCat/Alphv claimed to have stolen 6 terabytes of McLaren Health - compromising sensitive information of more than 2 million patients. McLaren Health has not publicly disclosed whether it paid a ransom to BlackCat. (see: Group Claims it Stole 2.5 Million Patients' Data in Attack).
"Organizations that have been ransomed by attackers are more likely to be targeted again - regardless of if they paid ransom or not," said former healthcare CIO David Finn, executive vice president of consultancy First Health Advisory. "Certainly, if you pay the ransom, you are more likely to be hit by a second attack, often by the same threat actor. In cases where a ransom was paid in an initial attack, almost 80% of those organizations were hit again," he said.
In August 2023, McLaren Health said it discovered "suspicious activity" and a month later the Russian-speaking Alphv cybercrime gang, also known as BlackCat, claimed on its dark web site to have stolen "sensitive data" of 2.5 million McLaren patients. The threat actor at the time claimed its "backdoor is still running" on McLaren's network.
A McLaren Health spokesman told Information Security Media Group the latest incident is "unrelated to last year's attack." He declined ISMG's request for additional details about the two attacks.
"There's no access to EMRs. McLaren is asking patients to bring in printouts of their medical information. Doctor can't log in. There are new nurses starting out their careers who have never used paper records in their entire lifetimes."
—Dina Carlisle, RN, McLaren Health Care
McLaren Health medical staff members told Information Security Media Group that unlike the incident last year, which appeared to mainly focus on data theft, this attack so far seems to be causing longer and more serious IT disruptions that are affecting clinical workflows and potentially patient safety.
"There's no access to EMRs. McLaren is asking patients to bring in printouts of their medical information. Doctor can't log in. There are new nurses starting out their careers who have never used paper records in their entire lifetimes," said Dina Carlisle, a critical care registered nurse at one of McLaren's hospitals. "This is a patient safety matter."
Carlisle is also president of the RN Staff Council of the Office and Professional Employees International Union Local 40 in Macomb Township, Michigan, which represents nurses, radiological technologists and other medical professionals.
"We will be sending a petition to McLaren for more staffing and daily updates on the situation," she said. The union sent a similar petition in June to Ascension when that Missouri-based hospital chain was also dealing with a highly disruptive ransomware attack (see: Union Demand Patient Safety Fixed in Ascension Cyber Outage).
Carlisle worked at McLaren Health during last year's attack by BlackCat/Alphv. "That last one wasn't as bad as this one" in terms of the level of disruption to clinical IT systems, she said. "This is new to us."
Attack Details
McLaren Health in a statement posted Wednesday on its website "confirmed' that the disruption to its IT systems and phone systems was the result of a criminal cyberattack.
"Our information technology team continues to work with external cybersecurity experts to analyze the nature of the attack and mitigate the impacts of the threat actors. At this time, we have not determined if any patient or employee data was compromised," McLaren Health said.
McLaren Health said that immediately upon becoming aware of the attack, its hospitals and outpatient clinics instituted downtime procedures to ensure patient care delivery.
"Several information technology systems continue to operate in downtime procedures while we work to fully restore functionality to our system. We have policies and procedures in place and train for information technology disruptions," McLaren Health said.
For a short period earlier in the week, McLaren diverted some ambulances away from some affected hospitals and canceled some appointments because physicians couldn't access radiology reports, laboratory test results or orders for additional testing and procedures, reported the Detriot Free Press.
McLaren's statement Wednesday said that its facilities "are largely operational and able to care for our communities" while it works to fully restore its operations.
"Our emergency departments continue to be operational, most surgeries and procedures continue to be performed, and our physician offices continue to see as many patients as possible. During this time of limited access to our systems, and out of an abundance of caution, some non-emergent appointments, tests and treatments are being rescheduled."
McLaren also said it is actively working with its vendor and insurance providers to ensure that the entity's supply chain is not affected and that insurance authorizations are processed for care and treatments.
McLaren is facing several proposed class action lawsuits related to last year's attack (see: McLaren Health Facing 3 Lawsuits in Ransomware Hack).
Unfortunately, it is becoming increasingly common for companies to fall victim to one threat group, and then another, said Raj Samani, senior vice president and chief scientist at security firm Rapid7. "A key consideration will always be whether the vulnerabilities that allowed initial access are addressed," he said.
"Over the last 18 months, we’ve observed a trend toward a more fluid activity level between ransomware groups. They are sharing code and affiliates are moving freely from one group to another," he said.
"All organizations, regardless of size or industry, must have a complete understanding of their attack surface so they can remain out of scope for what is still a primarily opportunistic criminal activity.”
Some security researchers say BlackCat is a spinoff of the now-defunct Conti ransomware group. The INC Ransom gang, which first emerged in July 2023, appears to one of many "subgenres" of Conti's Team1, known as Zeon, according to Yelisey Bohuslavskiy, co-founder and chief research officer at threat intelligence firm RedSense.
Security firm Cybereason in a recent threat alert said INC Ransom appears to have attack tactics similar to other ransomware groups.
"The group uses compromised credentials to gain access to a victim environment and move laterally using remote desktop protocol. When compromising new machines, another credential theft command occurs using the scripts," the report said.
"Eventually, the operators deploy the ransomware using WMIC and PSEXEC. In order to exfiltrate data, the group was observed using the MegaSync tool, which has also been used by other ransomware group affiliates," the report said.
As of Thursday, dark web monitoring firm DarkFeed.io counted 149 INC Ransom victims.
Bad Luck?
As for McLaren Health falling victim to a second ransomware attack within a year's time, several factors that could contribute to that outcome - "starting with bad luck," said Toby Gouker, chief security officer or government and digital health at consulting firm First Health Advisory.
"Bad luck can be exacerbated by underpowered security measures, a rapidly increasing threat surface, inability to find a quick source of corrective funding, and the proliferation of ransomware-as-a-service where even the least sophisticated attacker can achieve success when they see public evidence of a vulnerable organization," he said.
It is also possible for attackers to remain in a system after an incident, "but it is not likely that they would hand over operations to another organization," he said.
"We have seen many enterprise-level business activities on the dark web: selling validated, high-limit credit cards, selling clean X-ray images, RaaS, etc. But we do not have evidence of a business model where an attacker hands off an active exploit."