Reports on the Onix Group, Daixin Team and Clop Ransomware Attacks

320,000 Patients Impacted by Onix Group Ransomware Attack

The business administration service provider in Pennsylvania, Onix Group, encountered a ransomware attack on March 27, 2023. Upon detection of the incident, Onix Group immediately took its network offline to stop continuing unauthorized access; nevertheless, the attackers could encrypt files on particular systems. The forensic investigation affirmed that systems access was acquired 7 days prior to ransomware deployment and file encryption, and in those 7 days, the cyberattackers extracted files that contain sensitive information.

The analysis of the files showed that they included the information of patients of healthcare customers Cadia Healthcare, Addiction Recovery Systems, Physician’s Mobile X-Ray, and Onix Hospitality Group. The protected health information (PHI) in the compromised files differed from person to person and could have contained names, birth dates, Social Security numbers, and booking, billing, and clinical data. A number of the files included client details that were saved for HR reasons, such as employees’ names, direct deposit details, health plan enrollment information, and Social Security numbers.

Free credit monitoring and identity theft protection solutions were provided to impacted persons. The breach report sent to the HHS Office for Civil Rights indicated that around 319,500 persons were affected.

Ascension Patient Data Exposed Due to Vendor Breach

Ascension has lately begun informing 148,606 patients concerning a security breach that occurred on March 1 and 2, 2023. This third-party vendor was employed to deal with its heritage sites, DellChildren’ and

Vertex sought the help of a forensic investigator to find out the nature and extent of the breach. The investigation is in progress however, at this period, there seems to be no theft of any patient data found. In case data theft did happen, the data at risk consists of names, addresses, credit card numbers, insurance details, and Social Security numbers. Impacted persons received free credit monitoring and identity theft protection services as a preventative measure.

Ascension has confirmed that the sites were changed with brand new sites that Ascension hosts. The breach report submitted to the HHS’ Office for Civil Rights indicated that 17,191 Ascension Seton patients and 1,415 Ascension Providence patients were affected.

Extortion Attempt on Columbus Regional Healthcare System by the Daixin Team

Daixin Team, a ransomware and extortion group, states that it was responsible for a ransomware attack on a non-profit health system in Indiana, Columbus Regional Healthcare System. The group claims to have extracted 70 gigabytes of data files from the 154-bed hospital. The initial ransom demand by the group was $2 million, although, after the negotiation with the hospital or a third party, the ransom demand was reduced to $1 million; even so, the negotiations did not seem to materialize.

Columbus Regional Healthcare System did not confirm the attack by Daixin Team and it is presently not clear to what degree patient information is affected. The ransomware group may start leaking the stolen information over the following couple of days when ransom negotiations don’t continue.

MOVEit Vulnerability Exploitation and Extortion

A cyber threat actor began exploiting a zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) during the Memorial Day weekend. Progress Software released a notification concerning the vulnerability on May 31, 2023, and quickly released patches to resolve the vulnerability, however, not soon enough to stop mass exploitation of the zero-day vulnerability. Remote exploitation of the vulnerability enabled access to the MOVEit server database and client information.

A couple of days after, the following big companies affirmed they were affected by the attacks:

  • the UK drugstore chain Boots
  • the airlines British Airways and Aer Lingus
  • the Nova Scotia Provincial government
  • the University of Rochester in New York

All of them fell victim to the exploitation and had data extracted via Zellis, their payroll and HR service provider. Nova Scotia Health has announced that the personal data of around 100,000 workers were stolen during the attack.

The Clop ransomware group and affiliated FIN11 threat group were believed to be involved in the mass vulnerabilities exploitation since they had earlier targeted vulnerabilities in file transfer solutions, taking advantage of zero-day vulnerabilities in Fortra’s GoAnywhere MFT and the Accellion FTA. Microsoft, Mandiant, and others ascribed the attacks to Clop/FIN11, with Microsoft ascribing the attacks to a Clop affiliate it monitors as Lace Tempest, and Mandiant ascribed the attacks to a recently made threat cluster it monitors as UNC4857, likewise connected to Clop/FIN11. Mandiant announced that it found evidence of data extraction at several businesses and that targeted programs were affected by a web shell known as LEMURLOOT. Shodan scans showed that over 2,500 cases of MOVEit software are compromised online and Censys said that the over 3,000 hosts operating the service were likely vulnerable.

Clop Ransomware Group Takes Responsibility for the Attacks

About one week after the information got out concerning the exploits, the Clop ransomware group took responsibility for the attacks and stated that it issued ransom demands together with threats to publish the stolen information if there are no ransom payments. The group gave breached companies up to June 14 to pay the ransom or they will suffer a data leak.

On June 7, 2023, the Federal Bureau of Investigation (FBI), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint security notification and had a listing of suggested mitigations to minimize the effect of Clop attacks. On June 2, the Health Sector Cybersecurity Coordination Center (HC3) released a sector warning that the health and public health sector could possibly be at risk of vulnerability.

The number of victims is not yet known. The Clop group hasn’t openly said how many GoANywhere MFT attacks they did, however, it is likely in the hundreds. If the group starts leaking stolen data from June 14, the size of the attacks could be made clearer and the full scope of the vulnerability exploitation could be understood.

Clop Already Knew About the Vulnerability for Two Years

According to Cybersecurity company GreyNoise, it tracked scanning activity linked to the vulnerability to March 3, 2023. Security specialists at Kroll stated they identified information that suggests Clop was testing methods of vulnerability exploitation and getting information in April 2023; nevertheless, they likewise discovered proof of the same manual activity associated with the exploit since July 2021, indicating the Clop group knew about the vulnerability for about two years. The researchers point out they delayed their action until they had the automation applications that would enable mass exploitation.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at