Tampa General Hospital half thwarts ransomware attack, but still loses patient data

The Tampa General Hospital (TGH) has promised to reach out to individuals whose information has been stolen by a ransomware group.

In a cybersecurity notice, TGH said it noticed unusual activity on its computer systems on May 31, 2023.

While that is good news from a healthcare perspective, the ransomware operators did obtain something of value. An investigation learned that an unauthorized third party accessed TGH’s network and obtained files from its systems between May 12 and May 30, 2023.

Further investigation showed that some patient information was included. The information varied from person to person, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers (SSNs), health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations.

According to TGH, the criminals did not access the hospital's electronic medical record system.

TGH says it is mailing letters to individuals whose information may have been compromised, and will provide complimentary credit monitoring and identity theft protection services to those whose Social Security numbers were accessed.

Snatch ransomware

On July 18, 2023, Snatch ransomware group claimed responsibility for the data theft on its leak site.

The group is suspected to operate from Russia. Back in 2019, the group stood out because it deployed a somewhat new technique for ransomware which forced the affected machine to reboot into safe mode without networking. Safe mode starts Windows in a basic state, using a limited set of files and drivers. It’s intended for troubleshooting, but since many monitoring tools will not work in safe mode, it allowed for an undisturbed and quicker encryption process. By choosing the “without networking” mode, administrators lose view of the system. The Snatch ransomware added itself as a service which ran in safe mode. Interestingly, for some reason the group no longer uses that method.

Their most common attack vectors include brute-force attacks against vulnerable, exposed services such as RDP, VNC (Virtual Network Computing), and TeamViewer. Programmed in Go, the ransomware component is separate from the data stealer. We have not seen the multi-platform capabilities of Go put to use, and only Windows machines are affected.

Malwarebytes detects the Snatch ransomware as Ransom.Snatch.

From: Malwarebyte Labs.