LockBit Ransomware Attack on Clinica Tezza: A Detailed Analysis

On August 12, 2024, Clinica Tezza, a prominent healthcare institution in Lima, Peru, became the latest victim of a ransomware attack orchestrated by the notorious LockBit group. This incident highlights the increasing vulnerability of healthcare providers to cyber threats, potentially jeopardizing sensitive patient data and disrupting essential medical services.

About Clinica Tezza

Founded on December 8, 1967, by the Congregation of the Daughters of St. Camillus, Clinica Tezza is dedicated to providing comprehensive medical care. The clinic offers over 30 medical specialties, including cardiology, general surgery, ophthalmology, gynecology, and pediatrics. With a team of more than 200 medical professionals, the clinic is equipped with modern medical technologies and services such as emergency care, imaging and radiology, laboratory services, and specialized units like the Intensive Care Unit (ICU) and Neonatal ICU.

Clinica Tezza is known for its patient-centered care, offering virtual consultations and medication delivery services to enhance patient experience. The clinic's commitment to quality and community service aligns with the broader goals of the Daughters of St. Camillus, emphasizing compassionate and diligent care.

Attack Overview

The ransomware attack targeted Clinica Tezza's website, clinicatezza.com.pe. While the exact size of the data leak remains unknown, the attack underscores the growing threat of cyberattacks on healthcare institutions. The LockBit group, known for its sophisticated ransomware-as-a-service (RaaS) operations, claimed responsibility for the attack via their dark web leak site.

About LockBit

LockBit has been active since September 2019 and has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. LockBit uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files and demands payment in Bitcoin.

Penetration and Vulnerabilities

LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. The ransomware performs a check to avoid executing on systems with languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Clinica Tezza's reliance on digital services and patient data management systems made it a prime target for such an attack. The healthcare sector's critical nature and the potential for significant disruption make it an attractive target for ransomware groups like LockBit.

Sources

• Clinica Tezza
• SOCRadar: Dark Web Profile - LockBit 3.0 Ransomware
• TXOne: Malware Analysis - LockBit 3.0
• Red Piranha: A Look at LockBit 3.0 Ransomware
• CISA: Ransomware Profile - LockBit 3.0