Native tribe in Minnesota says cyber incident knocked out healthcare, casino systems

The Lower Sioux Indian Community warned residents on Wednesday that a cyberattack caused disruptions for the local healthcare facility, government center and casino.

After days of reported technology outages, the federally-recognized Indian tribe located in south central Minnesota said it was forced to activate incident response protocols following a cybersecurity incident that was discovered on some systems connected to Jackpot Junction, the local casino controlled by the tribe. 

The tribe "continued to take measures to contain the incident, including taking some systems offline (tribal phones, fax machines, and emails)," officials said in a social media post. 

“The Tribe is working with third party experts to address the incident, with the goal of returning to normal operations as quickly and as safely as possible.”

The tribe provided temporary phone numbers for the local health center, the dental center and the retail optical facility as well as the local pharmacy. Those needing to fill prescriptions were urged to use an app provided by the pharmacy.

Government officials first notified the public of issues on March 28, warning that phone lines were down following a similar message from Jackpot Junction. 

The casino later said all of its hotel systems were down and they were unable to book future reservations or make any cancellations. The casino’s digital games, including the slot machines, were also taken down by the cyberattack.

Approximately 145 families of the Lower Sioux Indian Community live on 1,743 acres of tribal land, with a total tribal population of 982 residing throughout a 10-mile service area and beyond.

RansomHub takes credit

The cyberattack was claimed by the RansomHub ransomware gang on Monday. The same ransomware gang in February said it attacked the Sault Tribe of Chippewa Indians in Michigan. 

RansomHub has quickly taken over as the leading ransomware operation after law enforcement operations targeting LockBit and AlphV last year. 

Researchers from cybersecurity firm ESET said in a detailed report last week that the group has gained prominence by developing a special type of malware — called EDRKillShifter — designed to terminate, blind or crash the endpoint detection and response (EDR) security products typically installed on a victim’s system.

“The decision to implement a killer and offer it to affiliates as part of the ransomware-as-a-service program is rare,” said ESET researcher Jakub Souček. 

“Affiliates are typically on their own to find ways to evade security products — some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web. ESET researchers saw a steep increase in the use of EDRKillShifter, and not exclusively in RansomHub cases.”

The group has also developed ties to other sophisticated ransomware gangs like Play, Medusa and BianLian — with actors from each group deploying EDRKillShifter, according to ESET. 

RansomHub initially advertised its services on Russian cybercriminal forums, offering affiliates 90% of ransom payments. Unlike other groups, the gang allows affiliates to receive the entire ransom payment to their own wallet and trusts them to send the developers the remaining 10%, ESET noted.