Ransomware Gang Auctions Off US Healthcare Data for Bitcoin

Crozer-Keystone Health System recently suffered a ransomware attack by the NetWalker ransomware gang. The gang is now auctioning the system’s stolen data through its darknet website. If it is not purchased at auction within six days, the gang has vowed to leak the data.


On June 19, Cointelegraph was able to access the alleged publication. There appeared to be dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients.

The gang claims that Crozer-Keystone Health System failed to pay for the ransom they demanded in Bitcoin (BTC).


Crozer-Keystone is a health system made up of four hospitals. It is based in Delaware County, Pennsylvania, and serves Delaware County, northern Delaware, and parts of western New Jersey.

No major details were given by the health system on the attack

The healthcare system addressed the incident via DataBreaches.net. They did not provide details regarding the ransom amount, or confirm whether patient data was compromised:

“After quickly identifying a recent malware attack, the Crozer-Keystone information technology team took immediate action and began remediating impacted systems. Having isolated the intrusion, we took necessary systems offline to prevent further risk. We completed this work in collaboration with cybersecurity professionals across our healthcare system and are currently conducting a full investigation of the issue.”

Hospitals attacked during COVID-19 pandemic

Speaking with Cointelegraph, Brett Callow, threat analyst and ransomware expert at malware lab Emsisoft, said:

“Attacking a hospital system is a despicable and unconscionable act, especially in the middle of a pandemic. A number of ransomware groups stated they would not attack healthcare providers for the duration of the pandemic and, somewhat surprisingly, they have been good to their word. NetWalker was not one of those groups.”

Callow warned about the dangers of such attacks, noting that they can be extremely disruptive and potentially put lives at risk. He recalled that during previous incidents, hospitals have had to effectively close their doors and reroute emergency patients to other hospitals:

“This is the last thing that’s needed at a time when healthcare services are already stretched to the limit due to Covid-19.”

In 2019, at least 764 US healthcare providers were impacted by ransomware, according to Emsisoft’s own research.

On June 10, Cointelegraph reported that risk solutions provider, Kroll, identified a growing trend in the use of the Qakbot trojan, or Qbot, to launch email thread hijacking campaigns that deploy ransomware attacks.

Source