Siemens Healthineers responds to alleged data theft by LockBit ransomware gang

Healthcare technology giant Siemens Healthineers said it is investigating a potential ransomware incident at one of its subsidiaries after claims of an attack were made by the LockBit ransomware group.

Last week, LockBit added to its leak site Varian — a radiation oncology treatments and software maker acquired by Siemens Healthineers two years ago.

A Siemens Healthineers spokesperson acknowledged the LockBit claims without confirming data had been stolen, and said the corporation has “comprehensive measures in place to mitigate cybersecurity risk.”

“We are aware that data has been published on the LockBit site. It alleges that the data is related to the Varian business segment of Siemens Healthineers,” the spokesperson told Recorded Future News. Siemens Healthineers itself was spun off in 2017 from the namesake German conglomerate, which retains a 75 percent stake.

“We have activated our incident response protocol and have a dedicated taskforce investigating the incident,” including “internal and external experts,” the spokesperson said.

It is unclear how much ransom LockBit seeks. The alleged attack on Varian was one in a series of recent incidents involving healthcare organizations based in the U.S.

On Thursday, the gang added United Medical Centers to its leak site. The healthcare facility, located in Southwest Texas on the U.S.-Mexico border, did not respond to requests for comment but announced issues with its network two weeks ago.

Officials said they were “experiencing technical difficulties” with their network and were “actively addressing the issue to restore normal operations as swiftly as possible.”

“We want to reassure you that despite the network disruption, some of our providers are still available and working diligently to continue providing essential medical services to our patients,” they said on July 27.

LockBit on shaky ground?

The latest LockBit postings come as cybersecurity experts are questioning the cybercrime group’s operational strength after the release of a bombshell report from Jon DiMaggio, chief security strategist at Analyst1.

In a followup to his previous report on the ransomware gang, DiMaggio said he not only infiltrated the group using fake personas but communicated with several gang members, affiliates and victims.

According to DiMaggio, LockBit’s leadership vanished and was unreachable over the first two weeks of August before resurfacing on August 13.

Due to issues with its backend infrastructure and available bandwidth, the group is struggling to publish the data it steals during attacks, DiMaggio said. LockBit is essentially pressuring victims to pay ransoms purely off of its reputation as the most prolific ransomware group currently operating, he said.

“Affiliates are leaving LockBit’s program for its competitors. They know that LockBit is unable to publish large amounts of victim data, despite its claims,” DiMaggio explained.

“Additionally, it takes them days to weeks to review the correspondence and reply to their affiliate partners. Some requests simply go unaddressed by the LockBit gang.”

DiMaggio added that the gang’s operation is degrading and has been “slow to expand its infrastructure and development needs” — causing affiliates to leave the group and join other ransomware organizations.

In June, the FBI arrested 20-year-old Russian national Ruslan Astamirov for allegedly targeting victims around the world with the notorious LockBit ransomware. That arrest followed the detainment of another LockBit affiliate, Mikhail Vasiliev, in Canada last November.

Since emerging in 2020, the gang has launched over 1,400 attacks against victims in the U.S. and around the world, issuing over $100 million in ransom demands and receiving at least tens of millions of dollars in actual ransom payments, according to the U.S. Department of Justice.