Last weekend the Clínic de Barcelona reported that it had been seriously affected by a “ransomware-type cyberattack”. In the investigation initiated after the incident, it was indicated that those responsible for this cyberattack were the members of the group RansomHouse. Who are they and how do they act?
a recent story
According to BleepingComputer, RansomHouse is believed to have started its activity in December 2021. The first mention of this group came with the publication of a ransomware called White Rabbit. Apparently RansomHouse helped develop this malware, but by stating that they did not use ransomware in their attacks.
White Rabbit ransomware release notes first mentioning RansomHouse (in this case Ransom House, with space). Source: Bleeping Computer.
Its first victim was the Saskatchewan Liquor and Gaming Authority (SLGA), as reflected in the list of extorted companies and entities on the RansomHouse website, which can be accessed from the Dark Web. There the URL addresses of the victims attacked and extortedincreasing the exposure of those companies and using that information as an additional method of extortion.
The attacks have continued ever since, and in certain cases those affected have been companies such as AMDfrom which 450 GB of data was stolen.
Information published from RansomHouse about the cyber attack on AMD. As they explain, some employees used passwords that were too simple and that allowed them to gain access to their systems. The information, they say, ended up being sold in September 2022.
On that occasion, BleepingComputer managed to contact the members of RansomHouse, who explained that they had not even tried to contact AMD because “we consider it a waste of time: it will be more valuable to sell the data than to wait for those responsible for AMD to react with all the bureaucracy what that implies.”
Message on RansomHouse’s Telegram channel about their cyber attacks on Shoprite, AHS or AMD.
Other cyberattacks for which they were theoretically responsible are those of ADATA, a Taiwanese hardware manufacturer —they denied such an attack—, the African supermarket chain Shoprite —from which they claim to have sold the data— o Keralty, a Colombian private healthcare company which operates in Latin America, Spain, the US and Asia. It is not clear if this latest cyberattack is related to the one suffered by the Clínic de Barcelona.
Ethical hackers going elsewhere?
The activity of this group, the experts indicate, is somewhat different from that of others of this style: according to this activity, RansomHouse is not an independent activity, but emerges within other groups of cyber attackers.
Screenshot of the RansomHouse website on the Dark Web with the latest companies that have been attacked and their URLs.
A Cyberint report from May 2022 revealed that this group could be made up of cybersecurity experts tired of trying to get rewards for detecting security flaws in companies and entities.
It is believed that they may be members of Blue Teams and Red Teams. The first are ethical hackers who try to defend companies from cyberattacks by covering security holes while defending themselves against members of the Red Teams, who are precisely trying to find vulnerabilities and infiltrate systems.
These teams that work offensively and defensively can help companies improve their security, but according to Cyberint data, Ransomware members are over tired of not being compensated as they believed and ended up making the leap to this type of organization to extort money from those affected.
Even so, in conversations captured by Cyberint in Telegram groups, RansomHouse members displayed a “polite” attitude:
“They don’t get drawn into irrelevant discussions. They claim to be very liberal and pro-freedom. They don’t want to mix business and politics and announce that they will never work with radical hacktivists or spy groups. Although the obvious goal of the group is personal gain , they try to make it as painless as possible for their victims and they behave in a direct way.”
Who are RansomHouse according to the members of RansomHouse themselves
Meanwhile, on its website on the Dark Web, RansomHouse defines itself as “a community of professional mediators:
“We do not produce or use any ransomware. Our main goal is to minimize the damage related parties may suffer. RansomHouse members prefer common sense, good conflict management and smart negotiations in an effort to achieve compliance with obligations of each party rather than having non-constructive discussions. These are necessary and sufficient principles that lead to amicable agreements and sometimes even subsequent productive and friendly cooperation.”
The message from this group emphasizes that according to them these threats help to “raise awareness in the private sector” about security problems. “Unfortunately,” they stress, “most of the time CEOs prefer to close their eyes against cybersecurity by saving budget on their staff or mindlessly spending huge amounts of money, which inevitably leads to vulnerabilities.”
For this community, the blame for these cyberattacks “are not those who found the vulnerability or carried out the hack”, but the cybersecurity managers of those companies “that they didn’t put a lock on the door and they left it wide open, inviting everyone in.”
The assumption that members of this group believed themselves to be undercompensated in their earlier days is supported by what they say below: “On rare occasions you can find gratitude and ridiculously small payments that don’t cover even 5% of the efforts of an enthusiast.” Therefore, they explain:
“Groups of data malpractice enthusiasts have sprung up, eager to get paid fairly by rationalizing this chaos through public punishment. These methods of making money and pointing out corporate mistakes can be controversial, and when you remember we’re talking about corporations With billionaires on the other side, it’s clear why dialogue is so important to the RansomHouse team.That’s what this project is all about: bringing conflicting parties together, helping them engage in dialogue, and make informed and balanced decisions. strives to find a way out of even the most difficult situations and allow both parties to move forward without changing the rules on the fly.Incompetence and rowdiness are unacceptable when it comes to these cases, which is exactly what happens in most situations. times. Here and now we are creating a new culture and streamlining this industry.”
Those responsible for RansomHouse add that the affected companies that refuse to pay for this type of work “will face legal and reputational costs“. They state that in such cases they will not only disclose the information on their website or official Telegram channel, “but we will also draw the attention of journalists, the public and third parties to the problem and do everything necessary to make the incident as public as possible”. Even so, they assure:
“We are strictly against the suffering of anyone who has been a victim of other people’s irresponsibility and leaks. To the best of our ability, we help them by giving them the opportunity to make a request through our official Telegram channel and make have your data package removed from the shared set before it is published”
As explained in Cyberint, theoretically RansomHouse is in charge of stealing data and then initiates negotiations so that the affected entities can prevent that data from being sold to other interested parties or being publicly exposed.
From RansomHouse they assure that they do not encrypt the information as usually happens with ransomware attacks, but curiously on their website they do show the label “Encrypted” (encrypted) as if they performed that action with the data of those entities.
In fact, another section of its website shows how the affected organization should not go to security agencies and must pay the negotiated amount to a bitcoin wallet, after which RansomWare will delete all the information from its servers, back doors will be removed, some security recommendations will be shared and, if necessary, “the decryption software and guides and help will be offered.”
The Hospital Clínic gradually returns to normality
Meanwhile, the activity of recovering normality continues at the Clinic. In their most recent communiqué, those responsible have indicated that work continues to normalize the situation. Outpatient consultations have been reactivated little by little, and part of the surgical operations have also recovered.
Extractions and oncology radiation therapy continue to be postponed, and care is being taken to ensure patient safety. The activity that cannot be carried out at the Clínic at the moment is being transferred to other hospitals. It has not been indicated if this return to activity has had to do with some type of negotiation with those responsible for the cyberattack.
