Ragnar Locker gang leaks data stolen from the Israel’s Mayanei Hayeshua hospital

The Ragnar Locker ransomware gang added Israel’s Mayanei Hayeshua hospital to the list of victims on its Tor leak site

The Ragnar Locker ransomware gang claimed responsibility for an attack on Israel’s Mayanei Hayeshua hospital. The cybercrime group claims to have stolen 1 TB of data from the hospital and threatens to leak it.

The message published by the gang on its leak site emphasizes that they didn’t encrypt data to avoid causing malfunctions to the hospital’s medical equipment.

However, the ransomware gang discovered serious vulnerabilities in the hospital network that allowed them to download hundreds of gigabytes of data.

Stolen data include personal information, internal emails, finances, medical cards and more sensitive information.

Below is the message published by the group:

"First of all, we want to emphasize that since this is a medical institution - we didn't run any encryption to avoid equipment malfunctions, or necessary instruments. However, serious vulnerabilities allows us to download a lot of data and someone else in our place could use such vulnerability in any other way.

We tried to draw their attention to the network issues and called them for discussion. Instead of the dialogue, they decided to play tricks with us, they even tried to catch us with phishing. Come on guys, seriously?

So, after multiple attempts to contact with management of MYMC, it becomes clear for us, that management of MYMC doesn't care about the privacy of own patients, sad to state this fact but it's true.

Today we are posting the first batch of MYMC internal files, you can find among those a lot of personal information, internal emails, finances, medical cards and more of highly sensitive data.

But this is not all, in next 3-4 days we will upload to public view full SQL database and huge bunch of .pst files with internal correspondence.

Expect for the updates and keep your privacy in your own hands."

The network of Israel’s Mayanei Hayeshua was hacked in early August, the attack disabled the hospital’s administrative computer systems, but did not impact the operations of any medical equipment.

Ragnar Locker ransomware gang claims to have attempted to get in touch with the administration of the MYMC, but someone involved in the discussion with the crooks attempted to unmask them with phishing.

The ransomware gang claims that the hospital doesn’t care about the privacy of its patients.

In March 2022, the US Federal Bureau of Investigation (FBI) and CISA published a flash alert to warn that the Ragnar Locker ransomware gang breached the networks of at least 52 organizations across 10 critical infrastructure sectors. The ransomware operation has been active since late December 2019, this is the second time that the FBI first shares IoC related to RagnarLocker operation, the FBI first became aware of this threat in April 2020.“As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors,” reads the FBI’s flash alert. “RagnarLocker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention.”

The flash alert provides details on attack infrastructure, Bitcoin addresses used by the gang to receive the payments of the ransom from the victims, and email addresses used by the gang’s operators.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)