Ransomware Attack on Nuevo Hospital de Bocagrande by LockBit

Nuevo Hospital de Bocagrande, a prominent healthcare institution in Cartagena, Colombia, has recently fallen victim to a ransomware attack orchestrated by the notorious hacking group LockBit. The attackers claim to have exfiltrated 341 GB of sensitive data and have set a ransom deadline for the 25th of September, by which the hospital must comply with their demands to avoid further data exposure or potential operational disruptions.

About Nuevo Hospital de Bocagrande

Established on January 1, 2009, Nuevo Hospital de Bocagrande (NHBG) specializes in high-complexity medical care, including surgical and cardiovascular services. The hospital employs approximately 157 individuals and generates an annual revenue of around $10 million USD. Known for its advanced medical treatments and high success rates in minimally invasive procedures, NHBG serves both local residents and international patients, making it a key player in the Caribbean region's healthcare landscape.

Vulnerabilities and Targeting

Despite its modern facilities and high standards of care, NHBG has faced mixed reviews regarding its cleanliness and overall experience. These vulnerabilities, coupled with the hospital's reliance on state-of-the-art technology, make it an attractive target for ransomware groups like LockBit. The hospital's extensive use of digital systems for patient records and medical procedures increases its susceptibility to cyberattacks.

Attack Overview

The ransomware group LockBit has claimed responsibility for the attack on NHBG via their dark web leak site. The group has exfiltrated 341 GB of sensitive data and is employing "double extortion" tactics, threatening to release the data publicly if the ransom is not paid. This attack highlights the growing trend of ransomware groups targeting healthcare institutions, which are often seen as high-value targets due to the critical nature of their services.

About LockBit

LockBit is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. Known for its modular ransomware and use of RSA-2048 and AES-256 encryption algorithms, LockBit has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The group employs "double extortion" tactics and typically demands payment in Bitcoin, ranging from several thousand to several hundred thousand dollars.

Penetration Methods

LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. The ransomware also performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Sources

• Nuevo Hospital de Bocagrande
• SOCRadar: Dark Web Profile - LockBit 3.0 Ransomware
• TXOne Networks: Malware Analysis - LockBit 3.0
• Cyber.gov.au: Ransomware Profile - LockBit 3.0
• PR Newswire: Nuevo Hospital de Bocagrande Success Rates