RansomHub Ransomware Hits Southeastern Retina Associates
Incident Date:
September 13, 2024
Overview
Title
RansomHub Ransomware Hits Southeastern Retina Associates
Victim
Southeastern Retina Associates
Attacker
Ransomhub
Location
First Reported
September 13, 2024
RansomHub Ransomware Attack on Southeastern Retina Associates
Southeastern Retina Associates (SERA), a specialized medical practice focused on the diagnosis and treatment of retinal and vitreous diseases, has become the latest victim of a ransomware attack by the notorious RansomHub group. The attackers claim to have exfiltrated 500 GB of sensitive data and have set a ransom deadline for September 15, 2024.
About Southeastern Retina Associates
SERA operates multiple locations across Tennessee, Northeastern Georgia, and Southwestern Virginia, providing comprehensive care to a wide patient base. The practice employs over 300 staff members, including 17 board-certified ophthalmologists who are experts in vitreoretinal surgery and medical retina treatments. SERA is recognized for its commitment to patient-centered care and its involvement in groundbreaking clinical trials aimed at advancing retinal care.
What Makes SERA Stand Out
SERA is distinguished by its exclusive focus on retinal diseases, offering targeted therapies for conditions such as diabetic retinopathy, age-related macular degeneration (AMD), retinal detachment, and choroidal melanoma. The practice emphasizes innovative treatment options and patient education, ensuring that patients are well-informed about their conditions and treatment plans. This commitment to excellence has established SERA as a premier retina practice in the Southeastern United States.
Vulnerabilities and Attack Overview
Healthcare organizations like SERA are particularly vulnerable to ransomware attacks due to the critical nature of their operations and the sensitive data they handle. RansomHub likely exploited vulnerabilities in unpatched systems or used phishing campaigns to gain initial access. Once inside, the attackers conducted network reconnaissance, escalated privileges, and exfiltrated data before encrypting files. The attack has significant implications for SERA, potentially disrupting patient care and compromising sensitive medical information.
About RansomHub
RansomHub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024 and quickly gained notoriety for its aggressive affiliate model and double extortion tactics. The group is known for its speed and efficiency, using advanced data exfiltration techniques and intermittent encryption to minimize encryption time while maintaining impact. RansomHub targets high-value sectors such as healthcare, financial services, and government, making it a formidable threat to organizations worldwide.
Penetration Methods
RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. The group has also leveraged zero-day vulnerabilities to infiltrate systems. Once inside, they use tools like Mimikatz and PsExec for lateral movement and privilege escalation. Data exfiltration is conducted using tools like WinSCP and RClone, followed by encryption using Curve 25519 elliptic curve encryption.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.