Cyber Incident Victim: Sigmund Software
Date:
Mar 2022
Location:
United States of America
Summary
Sigmund Software experienced a simultaneous ransomware attack by two groups, Hive and Spy, resulting in data exfiltration and encryption. Hive infiltrated the network for six months, stealing 160 GB of files including application source code, customer financial data, and personal information, while encrypting a backup server; Spy preemptively encrypted primary files before Hive could act. The company paid Spy $675,000 for decryption but refused Hive’s $500,000 demand, leading Hive to leak corporate and tax-related data from affiliated entities, with limited personal and protected health information identified in samples. The incident disrupted operations and exposed sensitive business and client details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On September 12, 2022, Sigmund Software, a subsidiary of VSS Medical Technology, experienced a dual ransomware attack involving the Hive and Spy threat groups. Hive had maintained unauthorized access to Sigmund’s systems for six months prior, during which they exfiltrated 160 GB of data including application source code (Aura, Aura Mobile App), prototypes, corporate tax documents, budgets, cash flow statements, customer company information, and client private details such as addresses and passwords. Hive encrypted a backup server as proof of compromise but were preempted by Spy, who encrypted Sigmund’s primary files before Hive could execute their own encryption. Hive notified Sigmund via email on September 12, disclosing their access period, data theft, and the placement of a persistent backdoor for future network re-entry. They threatened to release stolen data unless paid $500,000.
The following day (September 13), Hive learned Sigmund was negotiating exclusively with Spy, who demanded $750,000 for decryption keys. Hive escalated demands, insisting Sigmund pay both groups a combined $1.25 million and warning that refusal would trigger continuous network attacks every two weeks and harassment of Sigmund’s customers via emails and calls. Sigmund paid Spy $675,000 for decryption keys, though the effectiveness of the keys remained unverified. Hive, unpaid, subsequently leaked the stolen data, which included files from other VSS-affiliated entities like MedicFusion and New England Medical Billing. Initial analysis of the dump revealed corporate financial records and tax documents but no electronic health record (EHR) databases. A sample provided by Hive to Sigmund on September 13 contained personal and protected health information (PHI), though broader PHI exposure in the full leak was unconfirmed. The incident disrupted Sigmund’s operations, exposed sensitive customer and corporate data across multiple VSS subsidiaries, and resulted in significant financial losses from the ransom payment. No public containment measures or post-incident responses from Sigmund were documented.