Cyber Incident Victim: University Hospital New Jersey
Date:
Sep 2020
Location:
United States of America
Summary
University Hospital New Jersey suffered a ransomware attack by the SunCrypt operation, resulting in the theft and subsequent leak of approximately 48,000 documents containing highly sensitive information, including patient authorization forms, Social Security Numbers, driver’s licenses, and internal records. The breach followed an earlier compromise involving an employee infected with the TrickBot trojan, which typically facilitates network infiltration and ransomware deployment, historically linked to Ryuk, Maze, and Conti ransomware strains. SunCrypt’s infrastructure connections also overlapped with prior Maze ransomware activity, exacerbating the incident’s impact on patient and organizational data security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2020, University Hospital New Jersey (UHNJ), a state-owned teaching hospital established in 1994 with 519 licensed beds and over 3,500 employees, suffered a ransomware attack attributed to the SunCrypt operation. The attackers claimed to have exfiltrated 240 GB of data from the hospital’s network prior to deploying ransomware. On September 16, 2020, SunCrypt publicly leaked a 1.7 GB archive containing over 48,000 documents stolen from UHNJ. The leaked data included highly sensitive information such as patient authorization forms, copies of driver’s licenses, Social Security numbers, dates of birth, and records pertaining to the hospital’s Board of Directors. BleepingComputer verified that the leaked documents appeared authentic to UHNJ, though the full scope of the attackers’ claims remained unconfirmed. The incident represented an escalation in SunCrypt’s activities, coinciding with their recent establishment of a dedicated data leak site to pressure victims into paying ransoms.
The attack followed an August 2020 TrickBot trojan infection on a UHNJ employee’s device, as reported by cybersecurity industry sources. TrickBot infections typically enable threat actors to fully compromise networks and deploy subsequent ransomware payloads. Historically linked to Ryuk and Maze ransomware operations, TrickBot had recently been associated predominantly with Conti ransomware campaigns at the time of this incident. Forensic analysis revealed that during the UHNJ infection, SunCrypt ransomware communicated with an IP address previously tied to Maze ransomware operations, suggesting potential infrastructure overlap or code reuse between threat groups. The breach impacted critical operational and patient data, exposing thousands of individuals to identity theft risks while compromising internal governance documents. UHNJ’s status as a major healthcare provider serving over 172,000 annual outpatient visits amplified concerns regarding the scale of potential harm from the exposed personal information.