After the ‘Hunters International’ ransomware operation attacked Fred Hutchinson Cancer Center, threat actors began demanding payments from individual patients via direct emails. The hospital is the latest victim of the cybercriminal gang, which first appeared in October 2023.
THE HEADLINE
Cancer patients in the Seattle area recently faced an unexpected challenge related to the facility where they received treatment: ransom demands from threat actors who attacked the Fred Hutchinson Cancer Center (FHCC). The attack affected FHCC’s parent entity the University of Washington (UW). The blackmail demands were related to an FHCC data breach in mid-November 2023 perpetrated by Hunters International, a ransomware-as-a-service (RaaS) operation that has posted 20 victims on its dedicated leak site (DLS) since emerging in October 2023. To date, Hunters International has demanded multi-million dollar ransoms from victims in the U.S., Europe, and Asia.
While FHCC denied that attackers stole patients’ personal data, individuals who were treated for cancer at FHCC or through UW began receiving emails demanding payments of $50 to prevent the sale of their personal information on the dark web. According to one UW patient who spoke to the local media, the email stated that 800,000 patient records had been leaked, accusing the FHCC of refusing “to make a deal” (i.e., pay a ransom) to protect patients’ information. The patient added that he had not received a data breach notice from UW when he received the ransom demand.
FHCC advised patients not to pay the extortionists, which is consistent with the prevailing advice of law enforcement. FHCC also set up a call center to address patients’ concerns related to the data breach, reporting that around 300 people had called within a week of FHCC’s breach notice on December 1, 2023. Some of the callers received extortion emails.
Hunters International is a relatively new RaaS gang that has been linked to the now-shuttered Hive ransomware operation. Hunters International maintains a state-of-the-art DLS with sections dividing victims by their location, exfiltration/encrypted status, and valuation. The group has set its sights on “big game” victims, including a recent attack on American ship manufacturer and government contractor Austal USA.
Hunters International has also targeted multiple medical facilities, a tactic specifically disavowed in the past by ransomware powerhouse LockBit. Indeed, in December 2022 LockBit disclaimed an attack on the Hospital for Sick Children (SickKids) in Toronto, Canada because the incident violated its so-called “code of ethics,” which the gang claimed prevents attacking medical sector victims. Specifically, LockBit said one of its affiliates “mistakenly” attacked SickKids, after which the group formally apologized and provided a free decryptor, claiming the affiliate was blocked for violating the gang’s rules.
DIVING DEEPER
It appears that an internal portal (staff login), may have been the point of initial access for the attack. The stolen data also appeared to include employee personal information, physical plant information (floor plan/blueprints), and purchase orders.
While the Hunters International DLS currently has entries related to 20 victims, the FHCC post no longer appears on the gang’s leak site. Initially, the post threatened to leak 533.1 GB of data allegedly stolen from FHCC’s networks. Hunters International provided no explanation for the removal of the DLS post related to the FHCC attack, which received coverage on multiple open source (OSINT) news sites.
One possibility is that Hunters International removed the post after selling the data to third parties after FHCC refused to pay the ransom. These third parties may now be attempting to blackmail cancer patients treated by FHCC/UW. This scenario is consistent with the comparatively low payments that are being demanded from these individuals. Hunters International has attempted to collect multimillion dollar ransoms from victim organizations in the past, so $50 payments from individuals seems to be a step down for the gang.
Another possibility is that a disgruntled RaaS affiliate is now making low level extortion attempts to collect meager profits after breaching a major target (FHCC). Finally, Hunters International itself may be sending the blackmail emails in an attempt to put pressure on FHCC itself to pay the ransom. The fact that the email cites FHCC’s failure to protect its data as the cause of the breach suggests that the RaaS’ operators are sending the emails. Blackmailing cancer patients is creating negative publicity, which ransomware groups frequently try to leverage to pressure victims into paying.
According to the gang, their encryption code bears a significant similarity (60%) to Hive’s code because Hunters International purchased source codes from the now defunct operation. Hunters International added that it also bought source code for Hive’s website and its ransomware in a bid to dispel speculation that it is a possible Hive rebrand.
In the sting that resulted in Hive’s DLS seizure, the FBI acquired decryption keys and secretly distributed 300 of them to victims from whom a combined $130 million in ransom payments was demanded. The FBI provided another 1,000 decryption keys to previous Hive victims. The authorities also infiltrated two specialized servers and one virtual private server located at a California-based hosting provider, in addition to two secondary specialized servers located in the Netherlands that operated Hive’s primary DLS, negotiation site, and web-based management for the gang’s operators and affiliates. It is therefore understandable that Hunters International are keen to distance themselves from Hive where possible.
TAKEAWAYS
Hunters International has carried out a string of attacks on healthcare sector organizations, including FHCC, Medjet, Crystal Lake Health Center, and Covenant Care, among others. While revelations related to blackmailing cancer patients for $50 individual payments raise serious doubts about the RaaS operation’s ability to monetize stolen data, the tactic may also be an innovative strategy by Hunters International to increase pressure on FHCC to pay the ransom.
With the threat posed by gangs such as Hunters International, all organizations should implement robust security standards on their corporate environments to safeguard against attacks.