Fraud Management & Cybercrime , Healthcare , Industry Specific

Honor Among Cybercriminals? Why a Canadian Firm Paid Ransom

Alberta Dental Paid 'Substantial' Ransom for Decryptor Key, Deletion of Stolen Data
Honor Among Cybercriminals? Why a Canadian Firm Paid Ransom
Alberta Dental Service Corp. says it paid a "substantial" ransom to hackers in exchange for a decryptor key and a promise by attackers to delete the company's stolen data. (Image: ADSC)

A nonprofit firm that administers government dental programs in Canada is notifying nearly 1.5 million individuals that their data, including banking information for some, was compromised in a ransomware incident last month. Company officials paid a ransom for a decryptor key and the promise from hackers to destroy the stolen data, pinning their hopes on "honor among cybercriminals."

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

Lyle Best, president of Alberta Dental Service Corp., told Information Security Media Group on Friday that his company recently paid a "substantial" ransom for a decryptor key and a pledge by the cybercriminal group 8Base, which took responsibility for the attack, to delete the data exfiltrated in the incident.

Best described 8Base as "Russian-based" and declined to say how much ransom ADSC paid. Upon paying the ransom, the hackers quickly provided ADSC with a decryptor key and a video of the company's stolen data being deleted, he told ISMG.

But by the time ADSC received the decryptor key, the company had already begun recovering affected data using backups, he said. The ransomware encryption disrupted ADSC's IT operations for only about 12 hours, according to Best.

Security firm VMware in a June report said the 8Base ransomware group, which has been active since March 2022, "has remained relatively unknown despite the massive spike in activity in summer of 2023."

8Base uses encryption paired with "name and shame" techniques to pressure its victims into paying ransoms, the report said. The gang's communication style uses "verbiage strikingly familiar to another known group, RansomHouse," VMware wrote.

In weighing the decision of whether to pay the attackers for a decryptor key and a promise to destroy stolen data, cyber insurers and other experts advised ADSC that "there is even honor among cybercriminals, who don't want to ruin their business reputations by not keeping their promises," he told ISMG.

But some experts contend that paying a ransom to attackers under any circumstances is a poor choice. "Paying untrustworthy bad faith actors in the hope that they'll actually delete your data is akin to paying a burglar in the hope he'll return your stuff. It's irrational and does absolutely nothing whatsoever to protect the individuals whose information was compromised," said Brett Callow, a threat analyst at security firm Emsisoft. "Nor does payment alter an organization's legal liability, regulatory responsibility or any other liability or responsibility."

Best said ADSC had reported the incident to law enforcement and that the investigation is ongoing.

Since the attack, ADSC has been enhancing its data security, including implementing "newer monitoring tools," Best said. The ADCS incident is believed to have started with an email phishing scam, he said.

Breach Details

ADSC in a media statement issued Thursday said that about 1.47 million individuals had been affected in the incident, which included about 7,300 records containing banking information.

ADSC in a public notice posted on its website Thursday said that it had discovered on July 9 that an unauthorized third party gained access to a portion of its IT infrastructure and deployed malware that encrypted certain systems and data, rendering them temporarily inaccessible.

"We immediately deployed countermeasures to secure our network and data from further unauthorized access and engaged third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation into the nature and extent of this incident," the notice said.

"Fortunately, we were able to recover the affected systems and data from backups with only minimal data loss."

The investigation into the incident so far has determined that between May 7 and July 9, the attackers accessed and copied certain data from ADSC's network before deploying the malware, the notice said.

The Edmonton, Alberta-based company said a recently completed review of the compromised data determined that those affected include dental providers and individuals enrolled in Alberta provincial government senior citizen and low-income dental programs, as well as some individuals who participate in ADSC's Quikcard benefits programs, which are offered through smaller employers.

Affected data varies among individuals depending on benefits plans, but includes name, address, personal health number, birthdate, dental claims details, government-issued identification number and, for some, bank account numbers.

For affected dental providers, compromised information includes corporate name, corporate bank account, corporate mailing and email address and license number.

"Affected individuals and organizations are at risk of harms including phishing, embarrassment, hurt or humiliation as a result of this incident," said ADSC in its public notice about the incident.

Individuals and entities who had banking information compromised in the breach are also at risk of potential fraud or identity theft, the company warned. "ADSC's assessment of these potential harms included a consideration of all surrounding circumstances, including the malicious actions of an unidentified third party, and the types of information found to have been impacted."

Large government-sponsored dental programs in the U.S. also have been the victims of recent cyberattacks, including MCNA Insurance Co., which administers dental programs in Florida (see: Dental Health Insurer Hack Affects Nearly 9 Million).

MCNA in May reported to regulators a breach affecting nearly 9 million people that involved unauthorized access to certain MCNA IT systems on March 6 and the discovery that some IT systems within the company's network had been infected with malicious code.

"Most ransomware attacks are opportunistic, meaning health plan providers and healthcare providers big and small all face similar risks," Callow said.

"Ransomware involving the health sector, as well as other sectors, has remained at an elevated level since 2019," he said. "While governments have made considerable efforts to combat the problem, those efforts do not yet appear to have had a significant impact. That's concerning."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.