Volunteers of Cancer Services of ECI-Little Red Door
Volunteers of Cancer Services of ECI-Little Red Door [Source: littlereddooreci.org]

A ransomware group has infected the computers of an Indiana-based cancer agency and have asked for a large payment of 50 Bitcoin ($44,800).

The victim is Cancer Services of East Central Indiana-Little Red Door, an organization that helps "reduce the financial and emotional burdens of those dealing with a cancer diagnosis."

According to a statement sent out to several local news agencies [1, 2], the agency suffered a ransomware infection last Wednesday, January 11, 2017, at around 10:00 PM.

By the next day, most of the agency's internal network had been compromised and locked down with an unknown strain of ransomware.

Ransomware group contacted agency staffers via phone, email

What distinguishes this ransomware attack from previous incidents it's how crooks went about demanding the ransom. In almost all past ransomware attacks, crooks leave ransom notes on infected computers, a note which contains instructions on how to pay the ransom, and an optional contact method.

In the case of the Little Red Door agency based in Muncie, Indiana, by the next day, on Thursday, January 12, the crooks contacted the cancer agency's staff personally.

First, they sent text messages to the agency's Executive Director, President, and Vice President phones, and then they sent a standardized "form letter" via email. The emails contained detailed payment instructions, but also several threats.

Crooks threaten to contact cancer patients family members

According to the cancer agency's Executive Director Aimee Fant, the group threatened to contact family members of living and deceased cancer clients, donors and community partners.

Fant didn't detail the threats in more detail, or what the group said they'd expose but said the ransomware gang attempted to intimidate the agency into paying the ransom as quickly as possible.

Fant and the agency's reaction was quick and definitive: "The agency will not raise money to pay the criminals’ ransom," she said.

Instead, the organization reached out to the FBI for help and says it started contacting victims' whose data may have been exposed, to warn them of possible spam and phishing attacks.

Additionally, the agency said they are in the process of recovering most of their data from cloud storage and will be rebuilding its network by "replacing [its] file-based terminal server with a secure cloud-based system."

On Facebook, Little Red Door Cancer Agency, a cancer agency with a similar name and profile but based in Indianapolis, Indiana, clarified it hadn't suffered a ransomware attack like the one that hit Cancer Services of East Central Indiana-Little Red Door.

Update, January 18, 13:40: A hacker that goes by the name of The Dark Overlord (TDO) has claimed responsibility for the attack on the Little Red Door Muncie cancer agency.

Speaking to DataBreaches.net, the hacker has denied Little Red Door's statement that the clinic has suffered a ransomware attack. The hacker, who has a history of hacking healthcare organizations, claims he followed his normal procedures, but he never encrypted any data.

The hacker said he breached the company's network, stolen data from the organization's database, wiped the server clean, and then contacted the organization to demand a ransom to stay quiet about the hack.

In previous hacks, TDO has never installed ransomware on hacked systems but usually put up the data for sale on Dark Web portals after companies refused to pay his ransom fee. The story will be updated with more information when it becomes available. One thing's sure is that at least on of the two parties, the hacker or the cancer agency, is lying.

Related Articles:

CryptON Ransomware Installed Using Hacked Remote Desktop Services

The Week in Ransomware - May 18th 2018 - Mostly Small Variants

New Bip Dharma Ransomware Variant Released

Police Dept Loses 10 Months of Work to Ransomware. Gets Infected a Second Time!

The Week in Ransomware - May 11th 2018 - GandCrab, SynAck, and More