Did Data Leak Discovery Reveal a Ransomware Incident?Researcher Says Exposed Database Contained Ransom Demand Message
An unsecured database of medical information on military veterans contained evidence of a potential ransomware incident, the security researcher who discovered the data leak says.
In a recent report, Jeremiah Fowler, a cybersecurity researcher and tech analyst at the consultancy Security Discovery, says that on April 18, he discovered the internet-accessible database containing nearly 200,000 records.
Exposed patient information included names, dates of birth, reasons for doctor visit, medical record numbers and appointment information. The database also contained names and email addresses of internal users and admin and user information with hashed and non-hashed passwords, Fowler writes.
Database Access Shut Down
Many references to United Valor Solutions, a North Carolina company that provides disability evaluation services to the Department of Veterans Affairs, were contained in the database, the researcher writes.
When the researcher disclosed his findings to United Valor, the company restricted public access to the database within hours, Fowler reports. The company told Fowler that its contractors shut down the public data access and concluded, based on their monitoring, that "the data has only been accessed via our internal IP and yours," the researcher writes.
Fowler says, however, that the database included what appeared to be evidence of a ransomware attack. It contained a message titled “read_me” that claimed all of the records were downloaded and they would be leaked unless 0.15 Bitcoin - or $8,148 - was paid, Fowler writes.
"The forensic audit or IP review of outside access conducted by the contractor should have also identified the ransomware intrusion and the multiple IoT search engine spiders that indexed the exposed database," Fowler writes. "This appears to contradict what the contractors told United Valor."
United Valor and the VA did not immediately respond to Information Security Media Group's request for comment.
Ransomware Incident, or Not?
The apparent ransomware-related note is not necessarily evidence of an attack, says Brett Callow, a threat analyst at security firm Emsisoft.
"Low-level cybercriminals scan the net for vulnerable systems and automatically leave ransom notes claiming the data was extracted and will be released unless a relatively small ransom is paid," he says.
"In some cases, they may not even know which organization the compromised system belongs to. These are not ransomware attacks in the normal sense, which isn’t to say that the incidents may not be serious."
Fowler tells ISMG there's a wide range of methods attackers use to target exposed databases.
"I cannot say if the data was in fact taken, extracted or downloaded or to what extent the incident may or may not affect these individuals. I can only confirm that I saw the message that was consistent with known ransomware and data extortion schemes," he says.
Even if the message was automated, "the same misconfiguration that allowed the message to be placed in the database could have allowed the data to be potentially extracted and manually reviewed later by cybercriminals or state actors," he adds.
The method Fowler used to find the database "was nonintrusive and required nothing more than an internet connection and a web browser," he says. "For the record, I never download the data I find. Any dataset that is non-password protected and can be accessed or edited without administrative credentials is going to be targeted. It is a matter of when - not if."
In many ransomware attacks, victims immediately know they’ve been hit.
For example, when an attack affects a production database that's used daily," it presents an instant effect that is impossible to miss," notes Ron Pelletier, founder of security consultancy Pondurance.
"If any bad actor had the capability to launch a ransomware attack from inside the network, and there is knowledge of the attack, then the affected covered entity or business associate would be legally obligated to make all relevant stakeholders aware of the incident in the appropriate manner."
Pelletier also notes that attackers often exfiltrate data as part of a ransomware attack.
"In fact, we’re seeing that happen more as a way to not only increase the monetary demand but also increase the likelihood of payment from the victim," he says. "It’s an extortion plan that says 'even if you’re able to recover from the encryption attack, pay us or we’ll release your data to the public.'"
But some ransomware victims don't immediately know they've been targeted.
"Sometimes, ransomware could be planted by a perpetrator and then sold to the highest bidder, and that could take some time," says former Forrester Research analyst Chenxi Wang, a general partner at venture capital firm Rain Capital.
Depending upon the type of malware installed by threat actors and the techniques used, threat actors can program malware to be “activated” or “released” on a certain day or time "much like a time bomb," says Tom Garrubba, CISO of Shared Assessments, a global third-party risk management member organization.
"Threat actors can leave breadcrumbs to mark a trail or even a signature identifying who performed the attack as evidence that it was their group that performed the attack," he says. "They would do this as it ups their credibility and increases their stature in the ransomware business."
Retired supervisory FBI agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP, says it's possible a victim could be unaware for an extended period that they have been the victim of a ransomware attack, especially if the attackers' goal was to steal data and threaten to release it unless a ransom was paid.
"Not every ransomware gang is sophisticated in its negotiation methods, and if their ransom note was a simple 'read me' text file located on the network, it could have been legitimately missed for some period of time," Weiss says.