Exclusive HCRG Care Group, a private health and social services provider, has seemingly fallen victim to the Medusa ransomware gang, which is threatening to leak what’s claimed to be stolen internal records unless a substantial ransom is paid.
Previously known as Virgin Care and now owned by Twenty20 Capital, HCRG runs child and family health and social services across the UK for the NHS and local authorities, with a workforce said to number 5,000. Its annual turnover to March 2023, its latest available figure, was just shy of £250 million ($315 million).
In an update on its dark-web site, the Medusa crew claimed it had stolen 2.275 TB of data from HCRG, and will either sell that information to a buyer for $2 million (£1.6 million), delete its copy of that info for the same amount, or leak it all online if no one pays up by February 27.
Additionally, the gang claims it will delay the release for $10,000 (£8,000) per day, presumably to keep negotiations open. It has already leaked samples, totaling 35 pages, of what’s said to be pilfered information, including passport and driving license scans, staff rotas, a birth certificate, and data from background checks.
Tick-tock … Medusa’s ransom demand on its Tor-hidden site against HCRG Care Group. We’ve redacted a URL to where miscreants can download a list of files in the supposedly swiped data
“We can confirm that we are currently investigating an IT security incident and have recently identified a post on the dark web by a group claiming responsibility,” a spokesperson for HCRG told The Register Wednesday.
“Our team has not observed any suspicious activity since the implementation of immediate containment measures, and we are working with external forensic specialists to investigate the incident. Our services are continuing to operate and safely see patients, and those with appointments or who need to access our services should continue to do so.”
For now, then, HCRG is still operational – a stark contrast to what happened in Texas last year, when the University Medical Center in Lubbock was forced to severely limit operations and turn away ambulances following a ransomware attack. In HCRG’s case, it appears Medusa has skipped over encryption, opting instead to steal data and hold it for ransom.
Medusa surfaced in late 2022, primarily targeting Windows environments. According to Palo Alto Networks’ Unit 42, it mainly targets five sectors: Technology, education, manufacturing, healthcare, and retail. US organizations are the gang’s top victims, with UK firms following closely behind.
The HCRG incident marks the second high-profile attack from Medusa this year against a British organization. Last month, it claimed it had pulled a similar heist against Gateshead Council. Despite the gang’s threats, the council refused to pay the $600,000 ransom, leading Medusa to publish what’s said to be stolen data online.
It’s likely HCRG will refuse to play ball, too. And even if the healthcare group did pay, there’s no guarantee Medusa wouldn’t double-dip by selling the data anyway. And according to security shop Cybereason, last year 78 percent of organizations that paid a ransom were attacked again, with 63 percent facing demands for an even larger payout the second time around. ®