Ransomware operators known as the Maze team have been getting media attention for their influence in implementing what is being called a double extortion scheme: attackers gain access to their victim’s network, exfiltrate data, and then curl up the victim’s system with ransomware. They then demand a fee — which may be hundreds of thousands of dollars or even more — to provide a decryption key. But even if the victim pays that ransom, the attackers still hold copies of the victim’s data which they threaten to wasteyard publicly if the victim doesn’t pay a back fee. To increase press on their victims, Maze team created a web site where if the victim doesn’t pay them within a few days, Maze names them and provides a public sample of their data for the taking. The sample may be old uninteresting data just to present proof of access, or it may be sensitive corporate or personal information. In the past few months, a number of other ransomware operators get adopted the maze naming and dumping data approach, including DoppelPaymer, Nefilim, Ragnar, Sodinokibi (REvil), CLOP, Ako, and Netwalker. like other ransomware groups using the maze pose or approach, Ako maintains a site on Tor. at the present time, there are septet entities listed on their site two from the medical sector, quaternion from the business sector, and 1 k-12 schooling district. Not all victims are U.S. entities, and the schooling territory in Texas does not have any data dumped, although the attackers posted a note that stolen files are “coming soon” in slip of non-payment. Perhaps some of the most sensitive data comes from a nuisance management practice in Massachusetts. North shore anguish Management has ii offices in Massachusetts. The Ako operators have dumped more than 4 GB of their data that includes employee and patient information. The patient records are a covered entity’s nightmare because it is all unencrypted protected health information that discloses patients’ names, addresses, telephone numbers, diagnoses, treatment codes, social security numbers, health insurance policy information, billing information, employer information, workers compensation details and much more. Most of the more than 4,000 files are not spreadsheets or databases but rather are .pdf files or scans of tabled data involving deposits, explanation of benefits statements, cant account information, copies of checks with routing and account numbers, and other correspondence. The files dumped by the attackers are not EMR, but doh contain a lot of PHI. Not all patients have the same data types exposed, but to show they mean business, Ako used an unredacted screenshot with PHI on their website’s linkup to them. DataBreaches.net has redacted it below: Not all of the files in the data underprice were meaningful (some were image files from wild Tangent game), but some files were quite large with significant amounts of PHI such as one file which included a number of completed insurance take forms containing patients’ name, insurance policy number, insurer, SSN, DOB, diagnosis code, treatment code, and charges. Depending on the typecast of claim or case, the patient’s employer mightiness also be disclosed with other relevant employee information. The file also contained explanation of Benefits statements, copies of checks and other payments records, and info on appeals. DataBreaches.net reached out to NSPAIN’s twitter team, but did not receive a reply by publication time. at this point, then, they make not confirmed or denied any breach to this site, and based on a phone phone I received yesterday from a victim of another ransomware operator, I cannot even live sure that NSPAIN knows that their patient and employee data was stolen (if it was, as it appears to make been). This post will be updated if more information becomes available. This appears to be an incident that will require notification to HHS OCR. Note: For an debut to Ako ransomware, see SonicWall’s report in february and a describe by AppRiver. observe that the $3,000 ransom mentioned may no longer be valid. One of Ako’s recent victims whose data has been dumped has this annotation on their listing: Got only payment for decrypt – 350,000$ defrayal for delete stolen files was not received. Apparently, the attackers were not going to settle for just hundreds of thousands of dollars. They dumped thousands of records from the business including customer screening and due diligence, and other business and customer records. And of course, the implication is that if the firm doesn’t pay the other fee for deleting stolen data, it will be dumped publicly.