RansomHouse, the group of hackers that last Sunday attacked the Clínic hospital, is a rare bird in the world of this type of criminal organization. From the modus operandi to their specialization in attacking health centers -although not exclusively-, going through the fact that they have several messaging channels on Telegram and one of them is open to journalists who want to ask them something. Last Monday, on that channel, someone asked them if they were the perpetrators of the attack on the Clínic, but received no response. In fact, there is no conversation between any journalist, which could indicate that it is just a staging to make believe that they are what they are not.
They have taken almost a week to show signs of life. It was not until last Friday that they gave a sample of the 4 terabytes of data that they have stolen and for which they ask for a ransom of 4.25 million euros. According to a cybersecurity expert, who prefers to remain anonymous, “this figure is in the average of what is usually requested in similar attacks.”
This is surprising and there are already sources on cybersecurity issues that are beginning to think that perhaps this group was not the author of the attack. It is known about the relationship between RansomHouse and White Rabbit, another group of hackers. “It could be that RansomHouse is a kind of second brand that is using White Rabbit as a front to present itself as a group dedicated to ethical hackers, like a kind of Robin Hood of computer security,” explains this expert. “But in any case, Ransom House’s methods are far from those used by white hat hackers, who would never attack a company without their consent and never cause the damage that this attack has caused,” he adds.
At the moment, neither in any of their Telegram channels, nor in their darknet web page have they published the leaked data, but since the Clínic and the Generalitat have already said that they are not going to drop a penny, sooner or later they will appear on somewhere. On the other hand, on Tuesday, the Clínic already recovered a certain normality and throughout the week it has been gradually recovering. “This type of infiltration will continue to happen, they are inevitable. What makes the difference is the time it takes to recover access to the affected systems and that indicates how well or poorly prepared the company or institution that has suffered was. the attack”, adds this expert.
In this sense, and from what can be seen and read on its website, RansomHouse does not present itself as a group whose primary intention is to break into anyone’s servers to steal information or encrypt them and, in both cases, request a subsequent rescue. “The very possibility of such incidents occurring is a strong incentive to make the private sector, corporations and the public aware of data privacy and security issues, and should make those involved in data collection and storage of third-party personal data be respectful of their responsibilities,” says RansomHouse.
For this reason, they say, they regret that “unfortunately, more often than not, CEOs prefer to close their eyes to cybersecurity by saving budget on their staff or spending large amounts of money without thinking, which inevitably leads to vulnerabilities.”
And they affirm that they have “nothing to do with security breaches and we do not produce or use ransomware. Our main objective is to minimize the damage that related parties may suffer.” They are also convinced that in the case of cyberattacks “the culprits are not those who found the vulnerability or executed the hack, but those who did not take care of security properly. The culprits are those who did not lock the door leaving it wide open and inviting everyone to enter”.
The trap in this speech, which could lead one to think that we are dealing with a group of ethical and well-intentioned hackers, is twofold. On the one hand, “on their website, you can see that along with the data they have stolen, they explain to the victims how they have managed to carry out the attack, what vulnerabilities they have exploited and how, which is not exactly the same as explaining to someone how to protect themselves from an attack”, says the cybersecurity expert consulted.
On the other, his work is anything but selfless. “Corporations respond to the notice that their doors are wide open in the negative, with direct threats or silence. In rare cases, one finds gratitude and ridiculously small payments that don’t cover even 5% of the efforts of Well, the backlash is understandable, because the company’s management will have a hard time explaining the millions of dollars spent on security audits and the high salaries of security personnel to its shareholders, if some freelancer points out the mistakes they made. have committed,” RansomHouse says.
These hackers disguise the ransom that these types of groups ask their victims to free their systems and not make the information public as remuneration for the services provided -even though no one has asked them- for pointing out the vulnerabilities they have found. Perversely, they turn their victims into involuntary, but paying customers.
At the very least, they acknowledge that “these methods of making money and pointing out companies’ mistakes can be controversial, and when you remember that we’re talking about multi-billion dollar corporations, it becomes clear why the RansomHouse team is so important in bringing a dialogue (…) Here and now we are creating a new culture and modernizing this industry,” they say.
But then comes the threat: “Unfortunately, companies that refuse to negotiate and reject reasonable arguments, companies that are not willing to pay for this type of work, will face legal and reputational costs. To highlight these cases, we will not only to disclose information on our website and official Telegram channel, but also to attract the attention of journalists, the public, and to do everything necessary to make the incident as public as possible.Access to information is one of the foundations of a civilized society and a way for it to rise above itself and overcome challenges,” says RansomHouse.
And so that there is no doubt that they behave like a company, on their website there is a section of Terms of Service, which specifies how the payment must be made. First, you have to send a bitcoin to a wallet as a verification procedure, after which, the “client” must proceed to pay the rest of the agreed amount. RansomHouse expressly prohibits any police department, CIA, FBI, NSA or any other law enforcement agency or department. Nor do they allow the “negotiation” to be carried out by a third party on behalf of the company or institution attacked.
Failure to comply with either of these two things means “the end of all negotiations and the agreements reached. In this case, the information obtained will be made public on the web, on the Telegram channel, as well as to all the people involved and affected On the other hand, if the negotiations come to fruition -that is, if the victim pays- “all the information uploaded will be deleted from the team’s servers; all posts/websites/pages etc. posted by the team and associated with the data leak will be deleted; all backdoors exploited by the team will be removed; the team will not share personal data with third parties; a list of information security recommendations will be provided to the person in charge of the company; decryption software, guidance and support – some of these groups have call centers like any company – will be provided if needed and the team will never use current vulnerabilities for future attacks. In case new vulnerabilities emerge, the company will be notified.” But, of course, who knows.
