Cybercriminal group claims responsibility for ransomware attack as hospital CEO says recovery will take weeks

Twelve days into a ransomware attack that has upended health-care services at five hospitals in southwestern Ontario, a cybercriminal group claimed responsibility in an online blog describing how the attack happened and what it says are the millions of private patient records it has stolen. 

In a report to Windsor Regional Hospital Thursday, CEO David Musyj said the hospital is slowly getting back on track, working hard to restore services. He noted that although the impacted hospitals  "closely examined" the ransom demand from the cybercriminals, they decided against paying it. 

"We knew ... that we could not trust the promise of a criminal to delete this information," he said. 

"We learned that payment would not speed up the safe restoration of our network." 

It's the first time Musyj has spoken about the attack and his message served as a counter to the claims of the cybercriminals, who bragged about the extent of the damage in an online blog. 

After the hospitals refused to pay, the hackers followed through on their threat of releasing a portion of private health information. 

Details about that exposed personal information, along with the cybercriminal group that has claimed responsibility for the attack, have been released in an article from DataBreaches.net — a website run by a formerly licensed health-care professional who lives in New York State. 

CBC News spoke with the author of the website and has agreed to keep them anonymous to protect their safety.

The author, who goes by the pseudonym Dissent Doe, says they don't have expertise in cybersecurity, beyond having reported on the issue in their online blogs since 2006. 

CBC News has verified Dissent's identity. Brett Callow, a threat analyst for anti-virus software company Emsisoft, says while the site and Dissent have a track record of reliability for its reporting on cyberattacks, the specific claims hackers make to it should be taken with some skepticism. 

Multiple police organizations, including INTERPOL and the FBI, continue to investigate the cyberattack that stalled essential health-care services for thousands of people in Windsor-Essex, Chatham-Kent and Sarnia. The attack on the hospitals' IT provider TransForm forced internal health systems to be shut down at all five hospitals, causing staff to resort to using paper charting.

Since the attack began, cancer patients have had to receive care at other hospitals in the province, staff payroll has been disrupted and, as recently as Wednesday evening, personal health information has been published on the dark web.  

According to Dissent's reporting on DataBreaches.net, the group that claimed responsibility for the attack is called Daixin.

Dissent says they don't know where the group is based or how many people are behind the operation.