Cyber Incident Victim: VSS Medical Technology
Date:
Mar 2022
Location:
United States of America
Summary
A healthcare technology firm and its subsidiary experienced simultaneous ransomware attacks by two distinct threat actors, resulting in data exfiltration and encryption of systems. One group infiltrated the subsidiary's network for six months, stealing 160 GB of files including source code, customer financial data, and protected health information, while the other actor encrypted critical files first. The subsidiary negotiated with the second group, paying a reduced ransom for decryption keys, but refused the first group's separate demand. The uncompensated threat actor subsequently leaked corporate documents and tax records from multiple affiliated companies, though initial analysis suggested limited exposure of sensitive health data. The incident disrupted operations and exposed proprietary business information alongside some personal and protected client details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On September 12, 2022, VSS Medical Technology subsidiary Sigmund Software experienced simultaneous ransomware attacks by two distinct threat actors, Hive and Spy. Hive disclosed to DataBreaches.net that they had maintained unauthorized access to Sigmund’s network for six months, exfiltrating 160 GB of data including application source code (Aura, Aura Mobile App), prototypes, corporate financial records (taxes, budgets, cash flows), customer company information, and client private data (addresses, contacts, passwords). Hive encrypted a backup server to demonstrate access but reported that Spy ransomware operators encrypted Sigmund’s primary systems before they could deploy their own encryption. That same day, Hive contacted Sigmund via email detailing the theft of sensitive data and their implantation of a persistent network backdoor. They threatened continuous network attacks every two weeks and customer notifications unless paid $500,000.
The following day (September 13), Hive learned Sigmund was negotiating exclusively with Spy, who demanded $750,000 for decryption keys. Hive escalated demands, insisting Sigmund pay both groups a combined $1.25 million ransom, warning that failure to comply would render business operations unsustainable due to recurring attacks. Sigmund proceeded to pay Spy $675,000, though decryption success remained unverified. Hive received no payment and subsequently published exfiltrated data on an unspecified date after September 13. The leaked data included files from other VSS Medical Technology affiliates—MedicFusion and New England Medical Billing—primarily containing corporate financial documents and tax records. Initial analysis identified limited protected health information (PHI) in a sample Hive provided to Sigmund on September 13, though full exposure scope remained unconfirmed. The incident resulted in confirmed financial losses from the Spy ransom payment, operational disruption from dual encryption events, reputational damage from data exposure, and potential regulatory risks due to PHI access. Sigmund Software did not respond to inquiries regarding containment measures or system restoration status.