Notorious ransomware group claims responsibility for local hospitals cyberattack

A nefarious band of cyber-criminals called ‘Daixin Team’ is claiming to be the group responsible for the recent cyberattack that stole millions of sensitive files from five southwestern Ontario hospitals and published some of that data after ransom demands were denied.

The hackers were able to down the hospitals’ shared systems, operated by TransForm, on Oct. 23, 2023, blocking access to patient records, leaving the hospital to resort to paper records to process patients.

Aside from disabling the group of hospital’s systems, the hackers also stole large amounts of data, including personal information and hospital records of patients and staff.

The criminal organization claims to possess millions of pieces of data it stole. 

On Thursday, the hospitals acknowledged the data was being published after it refused to bend to ransom demands from the hackers, a number purported to be in the millions.

"The perpetrators are a sophisticated web of people who extort the healthcare sector," said Windsor Regional Hospital president David Musyj at Thursday’s regularly scheduled board meeting. "We are not the first healthcare system to be struck by these bandits and we will not be the last."

CTV has obtained a link to the leaked information, which exists on the "dark web."

According to databreaches.net, Daixin Team shared information with them regarding the cyberattack, including a back-and-forth exchange between a negotiator and Daixin before the ransom deadline.

In that thread, the person negotiating on behalf of the hospitals and Transform indicated the hospital is unwilling to pay.

“We have strongly considered your demands, but we cannot pay. We have to use our money, all of our money, for our patients,” the negotiator said in the thread.

“We understand that this will upset you. But please know this: cancer treatment is being cancelled. Surgeries are being postponed. Our patients are hurting. We are doing our best to restore our operations, and we will recover. But this attack has resulted in actual pain and suffering,” the negotiator said.

“We cannot pay, and we are asking you to delete the data and leave us alone. Our patients and staff have endured enough,” said the thread posted to Databreaches.net.

The response back from Daixin before the ransom deadline indicated the fastest way to restore hospital systems is payment.

“Either way — we’re not upset, we’ll pour your data into our leak site after the timer expires,” said Daixin in the databreaches.net thread. “We understand that money is more important to you than patients — we’re alike in that.”

Windsor Regional Hospital has not confirmed the authenticity of the exchange. Bluewater Health has not yet responded to interview requests made Friday.

Local police, including the OPP are investigating the cyberattack, along with the FBI and INTERPOL.

The FBI and Homeland Security in the U.S. have issued a warning separately about the Daixin Team targeting hospitals.

The advisory describes Daixin as a "..cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations." It goes on to say that "The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022."

The affected hospitals in this latest cyberattack include Bluewater Health in Sarnia, Windsor Regional Hospital, the Windsor-Essex Hospice and Hotel Dieu Grace Healthcare in Windsor, Erie Shores Healthcare in Leamington and Chatham-Kent Health Alliance.

According to Musyj, restoring access to critical systems could take some time.

"This is not something you can do overnight. This will take time, this will take weeks," he said. "We are hopeful that over the next few weeks we'll be able to bring back our clinical applications one by one."

Musyj indicates the process to fully restore systems in a safe manner is being handled by experts with a lot of experience in this realm.

One of the more prominent impacts was at the cancer centre in Windsor, where cancer radiation treatment had to be moved to other jurisdictions until the systems are back up and running.

"Our collective focus is on cancer patients and getting those systems up quickly but safely we're doing our very best to recover as safely and quickly as possible," Musyj said.

Information technology experts say institutions around the world are targeted for ransoms, but sometimes, it’s simply about bragging rights.

"One big thing with hackers, we find, when they can say, ‘hey, we've done this’ and they want to give themselves a little pat on the back," said Frank Abbruzzese, the president of AlphaKOR in Windsor.

"The hackers themselves, whether we like it or not, they're probably taking great pride in their own little victory," he said. "But no money."