← Back to Daily Briefing

LockBit ransomware operators, employing the evolved LockBit 5.0 ("ChuongDong") variant and the StealBit exfiltration tool, have executed successful double-extortion campaigns against Insight Hospital and Medical Center and Capital Health. The Insight Hospital breach involved the exfiltration of ~200 GB of sensitive PHI/PII, including Social Security numbers and treatment records. Capital Health suffered a massive 7 TB data theft, resulting in a $4.5 million legal settlement. These attacks leverage advanced evasion techniques, including EtwEventWrite API patching and cross-platform payloads (Windows, Linux, and ESXi), to bypass modern security defenses and leverage stolen data on dark web leak sites to maximize extortion pressure.

  • Incident/Breach Overview: Healthcare Infrastructure Compromise

    • Targeted Facilities: Insight Hospital and Medical Center (Chicago) and Capital Health (New Jersey/Pennsylvania).
    • Data Impact: Massive exfiltration of Protected Health Information (PHI) and Personally Identifiable Information (PII), including SSNs, birth dates, and medical records.
    • Breach Scale: Insight Hospital reported ~200 GB of stolen data; Capital Health suffered a significantly larger loss of 7 TB (over 10 million files).
  • Attack Vector/Campaign Mechanics: LockBit 5.0 & StealBit Evasion

    • Initial Access: Exploitation of network vulnerabilities, compromised credentials, or targeted phishing to establish persistence.
    • Exfiltration Strategy: Use of the purpose-built StealBit tool to facilitate high-speed, large-scale data theft prior to any encryption activities.
    • Evasion Techniques: Deployment of LockBit 5.0 features including EtwEventWrite API patching, event log clearing, and execution delays to circumvent EDR/SIEM detection.
  • Threat Group Profile: LockBit 5.0 ("ChuongDong") Evolution

    • Payload Architecture: A modular approach using a Loader (utilizing XOR and LZ compression) and a Ransomware component (employing ChaCha20 + Curve25519 encryption).
    • Platform Versatility: Advanced cross-platform targeting capabilities affecting Windows, Linux, and VMware ESXi virtualization environments.
    • Extortion Dynamics: Evolution toward "pure exfiltration" models, as seen in the Capital Health attack, where encryption is withheld to minimize clinical downtime while maintaining leverage via data leaks.
  • Impact & Regulatory Consequences: Legal and Financial Fallout

    • Litigation and Settlements: Capital Health reached a $4.5 million settlement to resolve class-action litigation stemming from their 2023 breach.
    • Regulatory Scrutiny: Heightened oversight from the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) regarding HIPAA compliance.
    • Operational Disruption: Significant impacts on patient care, including appointment cancellations, outpatient radiology disruptions, and emergency room diversions.
  • Technical Indicators & Defensive Hardening

    • Detection Markers: Monitor for StealBit-related egress patterns and anomalous system calls to the EtwEventWrite API.
    • Endpoint Mitigation: Enforce robust Multi-Factor Authentication (MFA) and harden RDP/VPN endpoints against credential-based attacks.
    • Resilience Strategy: Implement immutable, offline backup solutions and prioritize the segmentation of critical medical device networks.

LINK COPIED TO CLIPBOARD