Cyber Incident Victim: Conti-Ryuk
Date:
Aug 2020
Location:
United States of America
Summary
A ransomware attack targeted a healthcare provider, with Maze operators initially listing the victim on their leak site and uploading a sample of exfiltrated files. Subsequently, Conti-Ryuk operators created a separate leak site listing the same victim and published additional files, including patient-specific records containing names, dates of birth, medications, and diagnostic results. The exposure was compounded by filenames structured to reveal protected health information without accessing file contents. While Maze and Conti-Ryuk dumped distinct datasets, their collaboration in the incident remained unclear. The organization maintained operational backups, mitigating broader disruption, and no ransom payment was confirmed. Patient data from both leak sites demonstrated unauthorized access to sensitive medical information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On August 2, 2020, cybersecurity firm Cyble reported via Twitter that Maze ransomware operators had listed Ventura Orthopedics on their data leak site. The threat actors uploaded an archive of files allegedly constituting 5% of the data exfiltrated from the healthcare provider's servers, though Ventura Orthopedics did not publicly acknowledge the incident at that time. Subsequently, Conti-Ryuk ransomware operators established a separate leak site listing Ventura Orthopedics as a victim, publishing 1,850 files from the organization. Analysis revealed Maze and Conti-Ryuk leaked different datasets, with Conti-Ryuk's dump including patient-specific records such as lab reports from RX Diagnostic Management, Inc. These documents contained protected health information (PHI) including patient names, dates of birth, medications, and diagnostic results. The exposure was compounded by Ventura Orthopedics' filename convention (lastname_first2lettersoffirstname_DOB(yyyy/mm/dd)), which revealed PHI through filenames alone without requiring file access. Neither group disclosed potential collaboration in the attack, leaving their operational roles and ransom distribution unclear.
Ventura Orthopedics initially did not respond to media inquiries or issue public statements regarding the incident. By August 28, 2025, the organization engaged cybersecurity expert Chris Roberts of HillBilly Hit Squad to conduct forensic analysis, though findings remained incomplete at reporting time. The practice confirmed implementing proactive measures including maintained backups, which limited operational disruption despite successful data exfiltration. Available evidence suggested no ransom payment occurred. The confirmed data exposure impacted patient privacy through both Maze's partial leak and Conti-Ryuk's larger publication of medical records, with no remediation details disclosed beyond ongoing forensic investigation. Ventura Orthopedics had not submitted breach notifications to HHS's public reporting tool as of the last update.