Hacker group invades exam lab in Brazil and leaks passwords | Antivirus and Security

Grupo Meddi operates a series of exam laboratories in Bahia under the brands Meddi, Multimagem and IHEF, and has an agreement with several health plans. As found Tecnoblog, the company fell victim to the Avaddon ransomware, which encrypted a huge amount of data. The hacker responsible for the attack exposed access passwords and financial documents, and threatens to leak more confidential information if he does not receive a payment.

Avaddon teaches user to visit dark web to retrieve files (Image: Reproduction / Hornet Security)

Avaddon teaches user to visit dark web to retrieve files (Image: Reproduction / Hornet Security)

“Meddi Laboratório, you have 240 hours to contact and cooperate with us”, the group warned on Tuesday (16) on its dark web site. “If it doesn’t, we will leak all important and confidential documents from your company, as well as financial reports and more.” They do not reveal what the ransom amount is, usually charged in bitcoin to make tracking difficult.

As a sample, the page includes a print with login and password to access the portal of more than 20 health plans. There is also an accreditation agreement; a breakdown of Multimage’s cash flow for January 2020 and November 2018; and the lease for a hematology institute.

Leaked image has logins and passwords (Image: Reproduction)

Leaked image has logins and passwords (Image: Reproduction)

The leak also has personal data such as the doctors’ identity card, registration with the CFM (Federal Council of Medicine), diplomas and certificates.

Avaddon doctor's identity card leaked (Image: Reproduction)

Avaddon doctor’s identity card leaked (Image: Reproduction)

Meddi answers

Meddi’s IT staff was unaware of this extortion attempt, and only learned about it when the Tecnoblog got in touch. The company guarantees, however, that the servers affected by the ransomware stored only internal information, not patient data as test results.

“Grupo Meddi clarifies that, upon receiving contact from Tecnoblog, became aware of a criminal act in progress on the deep web, from the negotiation of administrative data of the companies that make up the Group ”, says the official position released this Wednesday (17th).

To deal with this situation, Meddi formed a committee with professionals from the IT and information security, commercial, communication and legal areas. The company is warning people whose data has been improperly accessed, such as doctors, as mandated by the LGPD (General Law for the Protection of Personal Data). It also changed passwords for affected users and services, and opened a police report with the Civil Police of Feira de Santana (BA).

In addition, the company prepares a security incident report detailing corrective actions that will be taken, including:

  • review of firewall rules and communication between the group’s VPNs;
  • creation of VLANs by service and area to facilitate the blocking of potential undue traffic;
  • implementation of SIEM software (event management and security information), which is used to monitor access logs;
  • implementation of an IPS (intrusion prevention system), which allows responding to attacks more quickly by identifying potential threats.

Meddi suffered two security incidents

The statement did not elaborate on the attack itself, but Meddi suffered two security incidents this month. In its official Instagram account, Meddi Laboratório reported on February 4 that it was delayed in scheduling exams and delivering results “due to instability in our operating system”.

Days later, she released a new statement: the system “went down on Wednesday, 10/02, due to an information security incident”. In both cases, the reason was the Avaddon ransomware, Tecnoblog.

Multimagem and IHEF, which also belong to the Meddi Group, published the same notices on their respective Instagram accounts. The posts do not mention the hacker attack.

IHEF warns about

IHEF warns of “security incident” (Image: Reproduction / Instagram)

What is Avaddon?

Avaddon operates with a affiliate program: are people interested in using the ransomware that another hacker created, paying him a commission ranging from 25% to 35% of the ransom received, depending on the number of victims. This model is known as Ransomware as a Service, and has increased the number of attacks that have been occurring in the past year.

Those responsible for Avaddon adopt the tactic of double extortion: that is, they encrypt your data using a single AES256 key and charge to release it; if you have a backup, then they charge you not to leak your information.

Avaddon says Meddi has 240 hours to cooperate (Image: Reproduction)

Avaddon says Meddi has 240 hours to cooperate (Image: Reproduction)

This type of crime emerged, in part, as a response to laws to protect personal data, such as the GDPR in Europe and the LGPD in Brazil. In this case, the hacker analyzes the hacked system and collects the most important information. If you have a backup, he has a letter up his sleeve: pay the ransom so you don’t have to pay a government fine.

The ANPD (National Data Protection Authority) will only be able to apply fines related to the LGPD as of August 2021. However, people who are affected by a leak can file a lawsuit.

The website DataBreaches.net, which discovered the security incident at Meddi, also mentions two other recent victims of ransomware in the healthcare industry: a laboratory in Italy and a company in the USA that runs hospitals and clinics.

Leave a Comment