Cyber Incident Victim: Mount Desert Island Hospital

On or around June 5, 2023, the ransomware group known as Snatch publicly claimed responsibility for a cyberattack against Mount Desert Island Hospital. The group listed the hospital as one of three victims on its dark web victim blog. The other two organizations named were EliTech Group, a global in-vitro diagnostics company based in Paris, and the Briars Group, a London-based consultancy firm. The public claim was made by posting the names of the companies alongside a brief description of their business operations on the gang's dedicated leak site. The blog posts did not contain specific details regarding the scope of the data breach at any of the organizations, such as the volume of data allegedly stolen or the deadline set for the victim to enter into negotiations with the threat actors.

The Snatch ransomware gang employs a distinctive and technically sophisticated modus operandi that has been documented by cybersecurity researchers. Their primary tactic involves forcing infected target devices to reboot into Windows Safe Mode. Safe Mode is a diagnostic environment within the operating system that loads only essential drivers and services, intentionally bypassing the automatic startup of most third-party software, including endpoint antivirus and security solutions. By operating within Safe Mode, the Snatch actors can disable security protections with greater ease, move laterally through the network unimpeded, and deploy their ransomware payload without interference. This technique allows them to systematically exfiltrate sensitive data and encrypt files on the compromised systems. Researchers from the cybersecurity firm Sophos have explicitly warned that the severity of the risk posed by ransomware capable of executing in Safe Mode cannot be overstated, as it effectively neutralizes a core defensive layer for organizations.

The attack methodology employed by Snatch is consistent with the double extortion tactic that is prevalent among modern ransomware groups. This approach involves two parallel coercive pressures on the victim. First, the attackers encrypt critical data and systems, directly disrupting business operations and making them inoperable. Second, they exfiltrate, or steal, large quantities of sensitive data prior to encryption. The threat actors then use the stolen data as leverage, threatening to publish or sell it on the dark web if the ransom demand is not paid. This two-pronged strategy is designed to incentivize payment not only for a decryption key to restore operations but also to prevent the public exposure of confidential information, which could lead to regulatory fines, legal action, and reputational damage. The security firm Coveware, which specializes in assisting victims with extortion negotiations, has worked on twelve cases involving the Snatch group. Historical data from these cases indicates that the ransom demands from this group have typically ranged between $2,000 and $35,000, to be paid in Bitcoin.

The specific impacts of the Snatch ransomware attack on Mount Desert Island Hospital's operations are not detailed in the public claim. However, based on the group's known tactics and the critical nature of healthcare services, a successful attack would likely have caused significant disruption. Hospital operations are heavily dependent on immediate access to patient medical records, scheduling systems, and diagnostic equipment. Encryption of these systems typically halts patient scheduling, disrupts access to electronic health records, and can force the cancellation of non-emergency procedures. The potential exfiltration of patient data also creates a severe privacy risk, as hospital databases contain highly sensitive personal health information, financial data, and personally identifiable information. The hospital serves three towns in the state of Maine, meaning the attack had the potential to directly impact the availability of healthcare services for those communities.

There is no publicly available information from the hospital itself or from law enforcement agencies regarding the exact timeline of the initial intrusion, the duration of the attackers' presence within the network prior to detection, or the specific point at which the hospital's IT team became aware of the incident. The public disclosure of the event came not from the victim organization but from the cybercriminal group itself via its dark web blog. A media outlet, Tech Monitor, reported that it had attempted to contact all three organizations named by Snatch, including Mount Desert Island Hospital, but had received no response at the time its article was published on June 5, 2023. The lack of immediate public statement from the hospital is a common occurrence in such incidents, as organizations often prioritize internal investigation, containment, and engagement with law enforcement and incident response professionals before making a public announcement.

The Snatch group is a Russian-speaking cybercriminal operation that has been active since at least 2018. The group derives its name from the 2000 Guy Ritchie film "Snatch," which starred Brad Pitt. Their history demonstrates a pattern of attacking a diverse range of entities, from private corporations to municipal governments. Prior to the attack on the hospital, the group had confirmed an attack in February of 2023 against the city of Modesto, which is located in Northern California, not North Carolina as one article initially misstated. The attack on Modesto was reported to have crippled police department laptops, severely hampering law enforcement operations and forcing officers to revert to using traditional police radios and manually writing down the details of dispatch calls. This precedent illustrates the group's capability and willingness to attack critical infrastructure, including public safety and healthcare entities, causing tangible operational disruption. The claim against Mount Desert Island Hospital represents a continuation of this targeting strategy against essential service providers.