Ransomware gang LockBit has announced its intention to leak private medical data belonging to cancer patients after allegedly hacking Varian Medical Systems, a healthcare firm that provides software for oncology applications. According to the ransomware gang, Varian has until 17 August to enter into negotiations to retrieve what was stolen in the raid if it wishes to avoid ‘all databases and patient data’ being published on LockBit’s blog.
A subsidiary of Siemens Healthineers, Varian specialises in supplying diagnostic and therapeutic oncology services. As of 2021, the California-headquartered company posted an annual profit of £269m and employed over 10,000 staff. Though details have yet to emerge as to how LockBit breached Varian’s systems or how much data was exfiltrated, the ransomware gang warned readers of its so-called ‘victim blog’ that the company should expect to see its private databases and patient medical data published shortly if it did not enter into negotiations within two weeks.
Such threats may form part of a ‘triple extortion’ strategy common to ransomware gangs, a three-part campaign against a company that begins with the theft of sensitive-looking data, which is then encrypted. That data is only returned and kept private if the corporate victim of the breach pays a ransom, whereupon they are provided – in theory – with a decryption key. It remains unclear, however, whether this is precisely the case with Varian. A statement provided to Tech Monitor by Varian’s parent company, Siemens Healthineers, confirmed that an internal investigation into the alleged breach is underway, but refrained from commenting further. “Siemens Healthineers is aware that a segment of our business is allegedly affected by the Lockbit ransomware group,” said a spokesperson. “Cybersecurity is of utmost importance to Siemens Healthineers, and we are making every effort to continually improve our security and data privacy.”
LockBit crime spree
Recent months have seen LockBit mount a series of disruptive cyberattacks against major companies. The first quarter of 2023 witnessed the gang attempt to breach 1,653 companies, according to a report by the US Cybersecurity and Infrastructure Security Agency, often repurposing freeware and open-source tools for use in network reconnaissance, remote access, tunnelling, credential dumping and file exfiltration.
Examples include LockBit’s recent campaign against the port of Nagoya, which ossified supply chains for Japanese carmaker Toyota, an attack against SpaceX that the ransomware gang claim resulted in a haul of 3,000 proprietary schematics, and an attempted extortion of Taiwanese chip manufacturer TSMC to the tune of $70m.
If confirmed, this latest hack would be the third such incident in four months to hit the wider Siemens group. In April, Siemens Metaverse reported that sensitive data, including office plans and IoT devices, had leaked thanks to it being inappropriately secured. Then, in June, Siemens Energy was breached by Cl0p, a Russian ransomware gang, though in that case, the company reported that ‘no critical data has been compromised’.