A cybercrime group recently infected two plastic surgery studios with ransomware. They subsequently leaked patient’s social security numbers and other sensitive information onto the internet.

Emsisoft threat analyst, Brett Callow, told CryptoNewspeople on May 5 that Maze recently took credit for hacking a plastic surgeon named Kristin Tarbet. They also claim to have hacked the Ashville Plastic Surgery Institute. He explained that in Tarbet’s case, the hackers have already leaked highly sensitive data:

“The data that has been posted included names, addresses, social security numbers as well as what appears to be before and after photos and photos taken during surgical procedures. The Maze group typically start by posting only a small amount of the data that was exfiltrated — it’s the equivalent of a kidnapper sending a pinky finger — so they may well have more data than has already been published.”

Callow explained that many ransomware incidents are caused by basic security failings. These include easy-to-crack credentials or unpatched remote access systems. He said that organizations should focus more on cybersecurity since “Maze uses a combination of strategies in order to gain access to networks including [Remote Desktop Protocol] exploitation, phishing, and spear-phishing.”

When it comes to the ransom requested by the hackers, he said that it cannot be known, but past attacks could serve as a guide:

“Only the criminals and the plastic surgeon will know the amount of the demand. In a previous case, Maze claimed their demand was $2 million: $1 million to decrypt the victim’s data and an additional $1 million to destroy the copy of it.”

More data to be leaked

When it comes to the Ashville Plastic Surgery Institute, the published data includes patient names, dates of birth, insurance details, patients’ implant order forms, before and after photos, and internal documents like income statements. Callow explained:

“This data dump is simply an initial warning shot. Should the company not pay, more data may be published.”

Callow said that this is not the first time the group has attacked two targets in the same industry. He explained that Maze’s victims often reside in the same geographic location or operate in the same industry. Maze claimed that there is a reason behind those instances in a statement:

“We don’t need to use phishing attacks and slowly move from one target to another as we have the access to the hosting provider.”

From encrypting data to stealing it: the evolution of ransomware

In recent months, Ransomware groups have started threatening to leak victim’s sensitive information if they are not paid. There was a time when ransomware groups would only render user data inaccessible and ask for the ransom for restoring access to it. As CryptoNewspeople reported in late April, a cybercrime group has published personal and financial data from the Californian City of Torrance and threatened to release 200 gigabytes more after the city’s officials denied that any data was stolen.

In mid-April, the first major ransomware group — REvil — also announced that it intends to switch from Bitcoin (BTC) to privacy-centric altcoin Monero (XMR). At the time Callow said:

“Like other businesses, criminal enterprises adopt strategies that have been proven to work and, accordingly, if this switch proves successful for REvil, we’d expect to see other groups begin to experiment with demands in currencies other than bitcoin.”