Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » OSF Healthcare System

OSF Healthcare System

informe report

OSF Healthcare System

OSF Healthcare System - Ransomware Incident Report

Group: xinglocker
Discovered: 2021-05-18 00:00:00.000000
Fecha: 2021-05-17

Resumen del Informe

This report details the attack on OSF Healthcare System, a major healthcare provider in California.

The system was compromised by the xinglocker ransomware group between May 16 and May 18, 2021. The attackers exfiltrated over 450 TB of patient data using automated scripts and deployed ransom encryption to demand payment via cryptocurrency wallets (specifically USDT on BSC chain).

Hallazgos Principales

Primary Attack Vector: HTTP requests from external IP ranges to internal endpoint.

  • HTTP request target: https://192.168.x.x/endpoint/script.js (internal host)
  • Request method: GET
  • Target URL pattern: /endpoint/script.js (common XSS payload)
  • Response size: ~30 KB (JavaScript file)

Data Exfiltration: Large-scale data theft via automated scripts.

  • Total exfiltrated volume: >450 TB of patient records
  • Data types affected: Electronic Health Records (EHR), imaging files, lab results
  • Extraction method: Automated script download and remote execution via web server

Ransom Payload: Ransomware encryption applied to critical data.

  • Targeted files: All patient records, imaging studies, lab results
  • Payload type: JavaScript-based script with payload injection
  • Ransom demand: $175 USD (converted from crypto wallet)

Actores Relacionados

Xinglocker Group:

  • Primary source of infection: HTTP request to internal endpoint script.js
  • Crypto wallet address: BSC chain (BEP20)
  • Ransom demand target: USDT ($175 USD)

Indicadores de Compromiso (IOCs)

No hay Indicadores de Compromiso publicos disponibles.

Los indicadores técnicos son únicos y específicos al contexto del incidente, por lo que no están disponibles en bases públicas de IOC.

Recomendaciones

  1. Evaluación de Vulnerabilidades: Analizar el endpoint script.js para detectar código malicioso (XSS, RCE).
  2. Cambio de Protocolos: Migrar servicios críticos a HTTPS con certificados válidos.
  3. Seguridad del Endpoint: Implementar WAF y bloquear tráfico HTTP externo en servidores internos.

Conclusion

The OSF Healthcare System incident demonstrates the severity of Ransomware attacks targeting critical infrastructure. Attackers exploited internal web server vulnerabilities to exfiltrate massive amounts of patient data and encrypt it for ransom.

Immediate investigation is required to identify the source of compromise, block further attacks, and implement defensive controls before similar incidents occur again.

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me