Cyber Incident Victim: Keralty
Date:
Nov 2022
Location:
Colombia
Summary
The multinational healthcare organization Keralty experienced a ransomware attack by the RansomHouse group, disrupting IT systems, websites, and medical services across its network. The incident caused severe operational failures, including appointment scheduling breakdowns and manual processing delays, leading to extended patient wait times and compromised care. Attackers deployed malware encrypting files with the '.mario' extension and claimed exfiltration of 3 TB of data, though unverified. Contingency measures were implemented, but persistent service issues and patient distress were reported amid recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 27, 2022, the Keralty Group, a multinational healthcare organization operating 12 hospitals and 371 medical centers across Latin America, Spain, the US, and Asia, suffered a ransomware attack attributed to the RansomHouse operation. The attack disrupted IT systems, websites, and operational capabilities for Keralty and its subsidiaries, including EPS Sanitas and Colsanitas, which provide healthcare services to over 6 million patients. Initial technical issues were reported by the company on November 28 without disclosing the cyberattack, but Keralty confirmed the incident in a public statement on November 29, attributing system failures to the breach. The ransomware variant used in the attack was identified as a modified version of RansomHouse's encryptor, previously known as "White Rabbit" but renamed "Mario" during this incident, which appended the ".mario" extension to encrypted files and dropped ransom notes titled "How To Restore Your Files.txt." Evidence of the attack surfaced when a Twitter user shared a screenshot of a compromised VMware ESXi server displaying a ransom note addressed to "Dear Keralty," prompting cybersecurity analysts to link it to RansomHouse. BleepingComputer independently verified RansomHouse's involvement through a source, with the threat actors claiming the attack occurred on November 27 and resulted in the theft of 3 terabytes of data, though this data exfiltration claim remained unconfirmed.
The attack severely impacted Colombia's healthcare system, with local media documenting patient wait times exceeding twelve hours at affected facilities, instances of individuals fainting due to delayed care, and widespread disruptions to medical appointment scheduling. Keralty activated contingency plans to maintain services, including manual authorization processes for prescriptions and procedures, and reported the incident to law enforcement authorities for criminal investigation. However, patient complaints on Keralty's November 27 Facebook post highlighted persistent challenges, including denied medication authorizations, inaccessible laboratory results, and surgical delays exceeding nine months in some cases. Users reported inefficient manual workflows, such as handwritten document processing and in-person authorization requirements, exacerbating service bottlenecks. RansomHouse's historical claims of breaches at AMD and ADATA were referenced, though ADATA had previously disputed their involvement, attributing leaked data to a separate 2021 ransomware incident. As of November 30, Keralty had not publicly responded to BleepingComputer's inquiries regarding the attack's specifics or the validity of data theft claims, while patient care disruptions continued amid recovery efforts.