Ransomware Attack Hits St. James Place Retirement Community, Data Stolen
Ransomware Attack on St. James Place by Cloak Ransomware Group
St. James Place, a nonprofit retirement community located in Baton Rouge, Louisiana, has recently fallen victim to a ransomware attack orchestrated by the Cloak ransomware group. The attackers claim to have exfiltrated 100 GB of sensitive data from the organization, releasing sample screenshots on their dark web portal to substantiate their claims.
About St. James Place
Established in 1983, St. James Place is a Life Plan Community designed for active seniors aged 62 and older. The community spans 52 acres and offers a comprehensive lifestyle that emphasizes independence, wellness, and community engagement. It provides a continuum of care, including independent living, assisted living, and skilled nursing care, all underpinned by a Life Care Contract that guarantees access to healthcare services as needed.
The community is known for its vibrant lifestyle, featuring amenities such as a fitness center, salon, home theater, and multiple dining options. Residents can participate in various activities, including arts and crafts, fitness classes, and organized outings to cultural events in Baton Rouge. The St. James Place Foundation supports residents facing financial challenges, ensuring a high quality of life for all.
Attack Overview
The Cloak ransomware group has claimed responsibility for the attack on St. James Place, asserting that they have exfiltrated 100 GB of sensitive data. The breach highlights the growing threat of ransomware attacks in the healthcare and wellness sector. Cloak has released sample screenshots of the stolen data on their dark web portal, emphasizing the severity of the breach.
About Cloak Ransomware Group
Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets sectors such as medical, real estate, construction, IT, food industry, and manufacturing. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics by encrypting files and threatening to leak stolen data.
The group likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces and may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high ransom payment rate of 91-96%.
Vulnerabilities and Penetration
St. James Place, like many organizations in the healthcare sector, may have vulnerabilities that make it an attractive target for ransomware groups. These could include outdated software, insufficient cybersecurity measures, and a lack of employee training on phishing and other cyber threats. The exact method of penetration in this case is not yet clear, but it is likely that Cloak used compromised credentials or purchased initial access from IABs to infiltrate the company's systems.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!