REvil ransomware group targets a major healthcare provider

Grupo Fleury operations disrupted after a ransomware attack

REvil ransomware group has attacked yet another massive organization

REvil ransomware^[1] gang continues its onslaught on big companies around the world. Last week we wrote about their attack on nuclear weapons contractor Sol Oriens. This week they've chosen Grupo Fleury as their next victim and spread their developed, devastating malware throughout the biggest medical diagnostics provider in Brazil devices.

According to sources, the healthcare provider has more than 200 facilities across Brazil and has over 10,000 employees. In 2016, the healthcare giant performed more than 60 million examinations. The most signature group brands^[2] are Fleury Medicina e Saúde, Labs D'Or, Campana, Weinmann and a+ Medicina Diagnóstica.

The attack became evident when the company's website, on June 22, 2021, began showing a warning message stating that their services are unavailable because of a server breach. Due to the incident, the medical diagnostics provider's services are discontinued as patients are unable to register for any kinds of appointments.

Threat actors demanded ransom price is $5 million

Although the Grupo Fleury doesn't specify what kind of cyber attack they've suffered in the released warning message, security researchers^[3] have found out it was a ransomware attack. Moreover, the attack was operated by a well-known criminal organization known as REvil.^[4]

The gang's name means Ransomware Evil, but it's also known as the Sodinokibi group. They're famous for targeting high-profile companies. Few of their latest victims include JBS Foods, the largest global meat processor, Sol Oriens, nuclear weapons contractor, and Apple, which doesn't require any introductions.

It is known that the threat actors are demanding the healthcare giant to forward them $5 million in cryptocurrency until June 26 to receive the decryption software, or the ransom price will be doubled to $10 million. REvil group is specializing in stealing data from infected computers prior to encrypting it.

This technique is known as double extortion.^[5] The stolen files are used as leverage and are held until the victims pay up or are leaked in a dark web website created by the group. If their demands aren't met, they always post the gathered data, as security analysts point out:^[6]

They’re notoriously known for leaking data if their demands aren’t met. <…> They’re notoriously known for leaking data if their demands aren’t met.

Stolen patient data might endanger their privacy and security

The Grupo Fleury hasn't yet confirmed or denied that the ransomware cyberattack resulted in any stolen data. If the REvil group managed to obtain the company's records, and let's be frank, there's a huge possibility that they did, the patients and the company itself could be in big trouble.

If the huge ransom isn't paid, the cybercrime group could either leak all stolen documents on their “Happy Blog” or sell them to the highest bidder. The data might be of interest to various threat actors as it contains a myriad of personal and medical information.

It might also contain personal details of all 10,000 employees, such as home addresses, phone numbers, emails, etc. Cybercriminals could use that data for various purposes, including phishing attacks, identity theft, and so on. Therefore people in any way related to the Grupo Fleury, whether a patient or an employee, should take precautionary measures not to become victims of cybercrimes.