Cyber hit on California hospital involves ransomware, says gang

The INC Ransom group is claiming a nearly month-old cyberattack on the Tri-City Medical Center Hospital located in the City of Oceanside, California.

The 388-bed acute-care hospital, which also serves residents in the San Diego County cities of Carlsbad and Vista, first became aware of unauthorized activity inside its network on November 9th. The attack led to the hospital diverting emergency patients to other nearby facilities.

Today, Wednesday December 7th, the lesser known threat group – known as INC Ransom – claimed responsibility for breaching the Tri-City hospital on its dark leak site.

Additionally, the gang also posted a “Proof Pack” of nine file samples purportedly stolen in the attack.

INC Ransom- Tri-city medical hospital
INC Ransom leak site. Image by Cybernews.

The sample pack includes a variety of documents, from individual patient medical records and surgical authorization forms to Tri-City financial records, including communications with the California State Department of Health.

One sample showed how the department breaks down and distributes $1.5 billion in funding between California state’s hundreds of healthcare facilities.

Another leak document clearly exposes what appears to be the actual bank account number belonging to the CA Health department that the hospital uses to transfer funds into.

INC Ransom-Tri-city proof pack
INC Ransom leak site. Image by Cybernews.

Meanwhile, the medical hospital continues to try and restore services in the aftermath.

“Dear community,” Tri-City wrote in an undated blog, posted on its website about the “unauthorized access.”

Upon discovering the breach, Tri-City said, “We immediately took our systems offline to halt the activity.”

The hospital said it was forced to “temporarily halt all elective procedures” but assured the community that emergency services were operating normally – although that was not the case the week of November 9th.

According to NBC’s local San Diego Channel 7, Tri-City had no choice but to place itself on an Internal Disaster diversion with the San Diego County's Office of Emergency Services immediately following the attack for at least five days.

Tri-City Medical Breach post

County officials told the NBC news outlet, “the hospital cannot accept any patients through the 911 system because of a critical disruption of the ability to provide medical services."

Since the shut down, Tri-City said it has been coordinating with other county first responder agencies and neighboring healthcare facilities to help share the overflow.

“Our top priority remains the health and wellness of our patients, and we continue to serve patients with emergency needs at this time,” Tri-City said.

The medical center has brought in third-party cybersecurity specialists, as well as law enforcement, to help with the investigation and incorporate new prevention strategies, the update stated.

The Tri-City Medical facility is one of the largest employers in North San Diego County. It has more than 500 physicians practicing in over 60 specialties and just over 2,000 employees, according to its website.

Who is newcomer INC Ransom?

INC, as its sometimes referred to, is the latest newcomer to the ransomware scene, first appearing this summer, July 2023.

A Sentinel One profile of the group found that similar to most other ransomware groups of late, INC Ransom is considered a multi-extortion operation – which means it not only encrypts and steals its target’s data but then threatens to publish it online if the victim doesn’t pay up,

The gang appears to target a varied number of industry sectors, at random including attacks on the healthcare, education, and government sectors.

The group commonly uses spear phishing emails to gain access to its victim's systems and has also been linked to the devastating Citrix Bleed zero-day vulnerability – already exploited in November by several ransomware groups since it was first observed in the wild this July.

According to Sentinel One researchers, the group’s ransom notes are written to each folder containing encrypted items, and each victim is furnished with their own unique identifying number.

Copies of the ransom notes are written in both .TXT and .HTML format.

INC ransom note
Image by Sentinel One.

For an added bonus, the payloads will automatically attempt to print out the .HTML version ransom note to any connected printer or fax machine, the profile states.

Ironically, last week, the US Department of Health and Human Services put out an advisory warning US hospitals specifically to patch the Citrix Netscaler flaw, which was released by CISA in October.

Unfortunately, researchers have recently discovered that several criminal groups had already taken advantage of the bug, installing backdoors into a victim’s systems, which they could still access even after the Citrix bug was patched.

The notorious Russian-linked LockBit ransom group was particularly busy exploiting the Citirix Bleed this November breaching big names like Boeing, Allen & Overy and China’s ICBC bank.

Its estimated hat there are still thousands of businesses worldwide who have yet to patch the Netscaler systems, which helps manage all the incoming user traffic.

More from Cybernews:

Android barcode scanner app exposes user passwords

Ukraine man charged with Starlink fraud

Amnezia VPN adds new protocol to evade censors more easily

“Clear gods” defraud thousands in cell upgrade scheme, causing $28M in losses

UK: Russia has been spying on us since 2015

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked