After revealing late last month it had fallen victim to a cyber incident, UnitingCare Queensland has now named REvil/Sodin as the gang behind the attack.
The organisation, which provides aged care, disability supports, health care, and crisis response services throughout the state, suffered the attack on Sunday, 25 April 2021.
In a statement issued a few days later, UnitingCare said its systems were still hurting. On Wednesday, it said some of the organisation's systems have since been inaccessible.
The organisation also pointed the blame at REvil/Sodin as the source of the attack.
"We can confirm that the external group claiming responsibility for this incident has identified themselves as REvil/Sodin," it said.
"With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached.
"This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators, and other stakeholders."
The REvil (Sodinokibi) ransomware gang has been active for quite a while, dwarfing any other similar ransomware operations. Run as a Ransomware-as-a-Service (RaaS), the REvil gang rents its ransomware strain to other criminal groups.
The figure demanded of UnitingCare has not been disclosed, but it was reported in March that Taiwanese giant Acer was struck by REvil ransomware, with the culprits demanding $50 million from the company.
"Since the incident occurred, as part of our business continuity plan, back-up and downtime procedures have been in place to ensure continuity of our clinical and care services, and these procedures have been working very well," UnitingCare said.
It said at this point in time, there is no evidence that the health and safety of its patients, residents, or clients has been in any way compromised as a result of the attack.
"As soon as we became aware of the incident, we engaged the support of leading external technical and forensic advisors. We also notified the Australian Cyber Security Centre of the incident and are continuing to work closely with them to investigate it," UnitingCare added.
"Since the outset of the incident, we have been in pro-active regular contact with all relevant regulatory and government departments."
Last year, the Australian Cyber Security Centre (ACSC) issued an alert to aged care and healthcare providers, notifying them of recent ransomware campaigns targeting the sector.
"Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks," the ACSC wrote. "This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact."
Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.
Since the mandate, the private health sector has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
Meanwhile, the federal government's COVID-19 booking system suffers day one 'problems'.
University confirms the personal information included in the breach contained names, email addresses, and phone numbers of some staff, students, and external parties
It is the latest government entity to be caught up in the attack on the Accellion file transfer system.