Cyber Incident Victim: Spy
Date:
Mar 2022
Location:
United States of America
Summary
A VSS Medical Technology subsidiary experienced simultaneous ransomware attacks by Hive and Spy groups. Hive infiltrated the subsidiary's network for six months, exfiltrating 160 GB of data including source code, customer financial details, and client personal information, while Spy encrypted critical files first. Hive demanded $500,000 to prevent data leaks and future attacks, alongside Spy's $750,000 decryption fee, but the organization paid only Spy $675,000 for decryption keys. Following the refusal to pay Hive, the group leaked corporate documents and tax records from multiple affiliated companies, with initial samples containing personal and protected health information. The full extent of compromised sensitive data remains unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On September 12, 2022, VSS Medical Technology’s subsidiary Sigmund Software experienced simultaneous ransomware attacks by two distinct threat actors—Hive and Spy. Hive had maintained unauthorized access to Sigmund Software’s systems for six months prior, exfiltrating 160 GB of data including application source code (Aura, Aura Mobile App), prototypes, corporate financial documents (taxes, budgets, cash flows), customer business information, and personally identifiable information (PII) or protected health information (PHI) of clients. During their intrusion, Hive encrypted a backup server as proof of compromise but were preempted by Spy, who encrypted Sigmund Software’s primary files before Hive could execute their own encryption. Hive notified Sigmund Software via email on September 12, detailing the exfiltrated data, disclosing a persistent backdoor, and threatening to contact customers directly if ransom demands were unmet. The following day, Hive learned of Sigmund Software’s negotiations with Spy and issued a revised ultimatum: a combined $1.25 million ransom ($675,000 to Spy for decryption keys and $500,000 to Hive for deletion of stolen data), accompanied by threats of biweekly network attacks and customer data exposure if Hive’s demands were ignored.
Sigmund Software paid Spy $675,000 for decryption keys by mid-September 2022, though the effectiveness of the keys remained unverified. The company did not pay Hive, leading to the public release of exfiltrated data on September 20. The leaked data included files from other VSS Medical Technology subsidiaries—MedicFusion and New England Medical Billing—primarily containing corporate operational documents, tax records, and limited samples of PHI/PII, though no full electronic health record (EHR) databases were identified. Hive’s September 13 sample data provided to Sigmund Software confirmed the presence of sensitive client information, but broader PHI exposure in the full leak remained unconfirmed. The incident disrupted Sigmund Software’s operations through dual encryption and protracted negotiations, while Hive’s data dump introduced reputational and regulatory risks for VSS Medical Technology and its affiliated entities. No information was disclosed regarding network containment, backdoor removal, or post-incident forensic actions by the affected organizations.