Data Breach Notification
,
Data Security
,
Fraud Management & Cybercrime
Researchers: Ransomware Group Emerged Last Fall; Variant of Babuk Malware
A relatively new ransomware gang, Termite, has started leaking on its dark web site samples of the 700 gigabytes of sensitive data allegedly stolen in a recent attack on Australian fertility clinic Genea.
See Also: A Modern Approach to Data Security
An Australian court has issued a restraining order to help stop further access, use, dissemination or publication of the data by the threat actor and any other third parties.
Genea, which has been operating for 40 years and is one of Australia’s largest fertility clinics, in a statement said it first became aware of suspicious activity on its network on Feb. 14, and promptly launched an investigation and remediation efforts.
On Feb. 26, the investigation determined that threat actors had begun externally publishing data stolen from Genea patient management systems, the clinic said.
Affected information includes patient names, emails, addresses, phone numbers, Australian Medicare card numbers, private health insurance details, medical record numbers, patient numbers, date of birth, emergency contacts and next of kin.
Compromised medical information includes patient medical history, diagnoses and treatments, medications, health questionnaires, pathology and diagnostic test results, doctors’ notes and appointment details.
Financial information such as credit card details and bank account numbers does not appear affected, based on this stage of the investigation, Genea said.
Genea on Feb. 26 said it was also granted a restraining order against the threat actors by the Australian Supreme Court in New South Wales.
A copy of the court order, which has redacted certain information, including the identity of the hackers and their dark web site, states that “defendants or any other person” are prohibited from publishing, communicating or disclosing any information or material obtained from the Genea dataset.
That dataset refers to “any information or material obtained in an unauthorized manner by the defendants from the plaintiffs’ IT network and IT systems.”
The restraining order covers data obtained from Genea’s Citrix environment, which the court document said was initially accessed on Jan. 31. Approximately 940.7 GB of data “departed the plaintiffs’ IT network and IT systems, including through any of the accessed servers to two remote IP addresses within a cloud server hosted by DigitalOcean on or around Feb. 14.”
The data was stolen from Genea’s application server for its primary patient management system, BabySentry and other systems, including the clinic’s primary file server, the court document said.
As of Friday, Termite’s dark website claimed the group had at least 700 GB of data from Genea’s servers, “such as confidential, personal data of clients.” The leak site also showed several samples of Genea patient documents, including health questionnaires and egg donor reports.
Genea, in its statement about the incident, said that besides obtaining the court’s restraining order against the threat actors, the organization has also notified government authorities.
That included the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. “We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them,” the clinic said.
Genea did not immediately respond to Information Security Media Group’s request for comment and additional details about the incident.
Other Infestations
Security researchers say Termite is a group that first appeared on the ransomware scene last fall.
“Termite is an English-speaking extortion group which allegedly steals data from organizations, threatening to leak this on a TOR-hosted data leak site unless a ransom is paid,” wrote researchers in a November 2024 report by threat intelligence firm Cyjax
Researchers at threat intelligence firm Cyble said in a December 2024 report that Termite appears to be a new variant of Babuk ransomware and that the group was behind an attack in November 2024 that hit supply chain management platform Blue Yonder (see: Moody’s: Hackers Aim for Big Payouts in Supply Chain Attacks).
“Termite is essentially a rebranding of the notorious Babuk ransomware,” Cyble wrote. “Termite ransomware represents a new and growing threat in the cyber landscape, leveraging advanced tactics such as double extortion to maximize its impact on victims.”