The website of Fleury Medicine and Health exhibited, this Thursday morning (24), a gigantic warning about the unavailability of its systems. The reason? A ransomware attack. Everything indicates that the company is the most recent victim of the REvil (or Sodinokibi), a group that has already attacked JBS and the Rio Grande do Sul Court of Justice (TJRS), just to mention recent examples.
The invasion was detected on Tuesday (22). Since then, clients who undergo medical examinations at the company’s units — Grupo Fleury is one of the largest diagnostic medicine networks in Brazil — have faced difficulties in obtaining the results.
On social networks, Fleury has guided patients who complain about the unavailability of systems to request results through a registration in the company’s ombudsman, which has been done through Instagram Direct.
Many users report, however, that they are unable to obtain feedback from the company after sending the data for registration with the ombudsman. The main complaints involve lack of access to test results for the detection of COVID-19.
In a statement released on Wednesday, the company informs that examinations are still being carried out in all its units, but in contingency mode, which means that, probably, tasks such as scheduling and recording procedures are being carried out without direct access to the systems .
Grupo Fleury has more than 220 service units and employs more than 10,000 employees.
REvil would have required $5 million ransom
In the press releases released so far, Grupo Fleury has not confirmed that it has been targeted by ransomware. But the BleepingComputer reports having received from various sources specializing in digital security that the company was a victim of ransomware created by the REvil group.
With rare exceptions, the purpose of ransomware actions is to financially extort the victim. Here it is no different. O BleepingComputer released a screenshot related to the Fleury attack that shows that REvil would have demanded payment of a ransom equivalent to $5 million to decrypt the affected systems and not leak company data.
The risk of leakage is a sensitive issue for any organization attacked by ransomware. But, in the case of Fleury, the aggravating factor is the possibility of confidential patient information falling into the hands of third parties.
So far, there is no information about negotiations between Grupo Fleury and the invaders. In the statement published on Wednesday, the company says only that its database is complete and that security experts are working to solve the problem:
In order to share updates on the restoration of our services after unavailability resulting from an attempt to attack our systems externally, we inform you that we have a group of highly specialized professionals in information technology and security advancing consistently with solutions to carry out a gradual and secure of our services.
It is worth noting that our database is complete and that service at all our units is still taking place through contingency action to ensure the provision of services to our customers, who continue to receive our focus of attention.
Fleury Medicine and Health
REvil works with affiliates
REvil, also known as Sodinokibi, is one of the most active ransomware groups today. Of supposedly Russian origin, the group has operated since at least 2019 and exploits a model of action known as “ransomware as a service”.
This means that the group recruits “affiliates” to carry out attacks with their ransomware and, if successful, takes a percentage of the ransoms they earn. This approach not only makes it difficult to identify those responsible for the attacks, it also increases the malware’s reach.
Several organizations have been victims of REvil. In April, the group gained notoriety for threatening Apple. In Brazil, one target was the Court of Justice of Rio Grande do Sul (TJRS). Another, more recent, was JBS, which paid an $11 million ransom to prevent data leakage.