The recent cyberattack on McLaren Health Care, carried out by the Inc ransomware group, has highlighted the increasing targeting of critical healthcare facilities by ransomware groups. The attack, which disrupted McLaren’s IT and phone systems, forced hospitals and outpatient clinics to implement downtime procedures, resulting in the rescheduling of nonemergency appointments and tests.
While McLaren initially did not confirm if patient or employee information was compromised, a leaked ransom note revealed that the Inc ransomware group was holding their data hostage. This incident underscores the growing threat posed by ransomware attacks on healthcare organizations.
In a surprising turn of events, victims of Inc ransomware attacks now have a new lifeline in the form of valuable information leaked from the encryptor used by the group. GuidePoint Security recently published a report detailing how this leaked data can aid in the decryption process, potentially leading to successful data recovery.
According to the report, newly encrypted files by Inc feature an 80-byte footer that discloses crucial information about the encryption process, such as the speed and extent of encryption. By analyzing this data, victims can make informed decisions on how to tackle the threat and potentially recover their files without relying on the decryptor provided by the attackers.
For instance, the footer indicates whether a file was encrypted quickly, which only affects certain parts of the file, or slowly, which encrypts the entire contents. This information can guide victims in determining the best approach for decryption, maximizing their chances of recovering their data.
Moreover, the absence of the 80-byte footer and the presence of a .inc tag on a file signal that it has been corrupted beyond recovery, even with the decryptor. This underscores the importance of analyzing the leaked data to assess the feasibility of file recovery post-attack.
Jason Baker, a threat intelligence consultant at GuidePoint Security, advises victims to carefully examine the footer values before running the decryptor to gauge the potential success of data recovery. By leveraging this leaked information, victims can improve their chances of recovering encrypted files and mitigating the impact of the ransomware attack.
In addition to the technical aspects of the attack, there has been a noticeable shift in the ethical considerations of ransomware groups, particularly in their targeting of healthcare organizations. Previously, certain groups refrained from attacking healthcare facilities, but that norm has eroded over time.
The Inc ransomware group, known for targeting industries like healthcare, education, and nonprofits, exemplifies this shift in tactics. Recent disruptions in the ransomware landscape have prompted some groups to target previously off-limits sectors, driven by the perceived profitability of such attacks.
Overall, the McLaren Health Care cyberattack sheds light on the evolving tactics of ransomware groups and the crucial role of leaked information in aiding victims in their recovery efforts. As healthcare organizations continue to be prime targets for cybercriminals, it is imperative for entities to enhance their cybersecurity measures to defend against such malicious threats.