Planned Parenthood of Montana confirms to Cybernews it has been breached – just hours after the RansomHub ransomware cartel claimed responsibility for the attack on Wednesday.
RansomHub – a fledgling ransomware group that has been racking up victims on the daily since February – claimed the non-profit on the front page of its dark leak blog on Wednesday morning.
The ransomware gang posted it had stolen nearly 100 gigabytes of sensitive data from the multi-center organization, along with several samples of alleged exfiltrated files.
A statement sent to Cybernews from Martha Fuller, the CEO and President of Planned Parenthood of Montana, confirmed Wednesday the non-profit organization had been breached last month.
“On August 28th, 2024, Planned Parenthood of Montana (PPMT) identified a cybersecurity incident affecting our IT systems,” Fuller said.
During the incident, Fuller said IT staff had “immediately implemented” the organization’s incident response protocols, which included “taking portions of our network offline as a proactive security measure.”
Fuller stressed that its “investigation is ongoing” and that Planned Parenthood was “aware of the RansomHub post.”
In typical fashion, the cybercriminal cartel has given Planned Parenthood seven days to negotiate a ransom demand, threatening to leak the 93GB of stolen files on the dark web – and most likely selling them to the highest bidder if PPMT doesn't pay up.
“[We] want to assure our community that we are taking this matter very seriously. We have reported this incident to federal law enforcement and will support their investigation,” Fuller said.
The non-profit women’s reproductive health organization has been operating in the northwestern state of Montana for over 50 years, managing five health centers across the 'Big Sky' state, plus virtual telehealth visits.
According to its website, Planned Parenthood of Montana provides care “to thousands of patients each year,” including the LGBTQIA2S+ community, and is headquartered in the metropolitan city of Billings.
Ransomware gang provides samples
The RansomHub posted samples appear to contain financial budgetary records from 2024, purported documents from an ongoing court case with the Missoula County Detention Facility, and a PPMT certificate of liability insurance.
Also included in the cache is payroll information for both the “Intermountain Planned Parenthood” (its corporate name) and its affiliated and well-funded political advocacy group, the “Planned Parenthood Advocates of Montana."
The Planned Parenthood Advocates of Montana, which boasts its own social media profile on X, is listed as a non-profit, non-governmental organization paid for “in part by Planned Parenthood Votes” located in New York City.
Planned Parenthood Votes is a volunteer call-to-action group focused on abortion rights issues for the upcoming November elections, and not surprisingly, championing Democratic presidential nominee US Vice President Kamala Harris, while campaigning against the Republican party and presidential opponent Donald Trump.
Fuller said the organization was grateful to its IT staff and cybersecurity partners for “working around the clock to securely restore impacted systems as quickly as possible, and who are tirelessly investigating the cause and scope of the incident.”
The PPMT President and CEO also thanked its providers and health center staff, for "minimizing any operational disruptions and continuing to provide care to our patients."
“We appreciate our community’s patience and understanding as we work to address this incident,” she said.
Who is RansomHub?
RansomHub is a relatively new player in the ransomware ecosystem, having posted its first victim on February 26th, 2024.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory about the RansomHub gang on August 30th, triggered by its accelerated climb as one of the most active ransomware groups so far this year.
Threat intelligence researchers at Searchlight Cyber say RansomHub is now ”ranked third among the most prolific ransomware groups of H1 2024” and that the gang’s rapid rise suggests “possible connections to established players like BlackCat,” according to the firm's newly released ransomware report.
RansomHub victims include various organizations, from critical infrastructure to private corporations in the US, including the oilfield servicing company Halliburton, allegedly breached by the gang in early August, as well as the US drug store chain Rite Aid in July.
According to the CISA advisory, which provides a full list of known IOCs, including IP addresses, tools, known URLs, email addresses, and more, the cybercrooks are said to have breached at least 210 victims since February, almost at a rate of one victim per day.
Known for operating a ransomware-as-a-service (RaaS) model and using double extortion tactics, the group became a main player in the aftermath of the massive UnitedHealth's Change Healthcare breach carried out by the ALPHV/BlackCat ransomware gang.
RansomHub – thought to be one of the main affiliates connected to ALPHV/BlackCat at the time – claimed to have published a swath of files allegedly part of what was obtained during the Change Healthcare hack.
“Its representatives have been spotted recruiting affiliates on dark web forums, offering a fixed 10 percent fee and the option to collect ransom payments directly from victims before paying the core group.” SearchLight Cyber researchers said.
“Its “affiliate-friendly” model could also be seen as a direct response to BlackCat’s retirement,” the researchers noted.
the Russian-linked ALPHV/BlackCat perpetrated its "exit scam" back in March by “taking the entire [$22 million] ransom payment from Change Healthcare without properly compensating the [RansomHub] affiliate responsible for the attack,” researchers explained.
Additionally, the Searchlight Cyber white paper shows that “most of RansomHub’s victims are located in the United States,” further supporting this conclusion.
It's been shown that the group’s setup closely resembles that of a traditional Russian ransomware setup, with the gang avoiding targets in Russia, CIS countries, Cuba, North Korea, and China – typical of Kremlin-backed gangs.
RansomHub breach victims in the first half of 2024 include gaming laptop-maker Clevo, the high-profile Christie’s auction house, and Frontier, the 4th largest high-speed internet provider in the US covering 25 states.
Your email address will not be published. Required fields are markedmarked