Full Report
Last week, it appeared that Clinical Diagnostics (“Eurofins”) had paid a gang’s demands not to leak patient data that Nova had exfiltrated during a ransomware attack in July. Clinical Diagnostics in the Netheralands held patient data on 485,000 Dutch women in a cervical cancer screening program. Nova confirmed the payment to a Dutch news outlet.... Source
Analysis Summary
# Incident Report: Nova Ransomware Negotiation Dispute with Clinical Diagnostics
## Executive Summary
The healthcare entity, Clinical Diagnostics (Eurofins) in the Netherlands, experienced a ransomware attack allegedly conducted by the group "Nova" in July, resulting in the exfiltration of patient data from a cervical cancer screening program. After an initial payment appeared to resolve the incident, the threat actors reversed course, demanding a higher ransom due to perceived police involvement or a higher counter-offer from another party. The incident remains active with the threat of public data disclosure looming.
## Incident Details
- Discovery Date: Not explicitly stated, presumed shortly after July (when the ransomware attack occurred).
- Incident Date: Incident confirmed to have occurred in July 2025.
- Affected Organization: Clinical Diagnostics (Eurofins), Netherlands.
- Sector: Healthcare.
- Geography: Netherlands.
## Timeline of Events
### Initial Access
- Date/Time: Occurred sometime in July 2025.
- Vector: Ransomware attack, specific initial vector (e.g., phishing, vulnerability exploitation) is not disclosed.
- Details: Nova, the threat actor group, successfully breached the systems and exfiltrated patient data related to a cervical cancer screening program.
### Lateral Movement
- Details: Not specified in the provided context, but implied by the successful exfiltration of relevant organizational data.
### Data Exfiltration/Impact
- Details: Patient data belonging to 485,000 Dutch women in a cervical cancer screening program was exfiltrated by Nova.
### Detection & Response
- Date/Time: Mid-August 2025 (when the payment was initially confirmed).
- Details: Clinical Diagnostics reportedly paid the initial ransom demanded by Nova. Subsequently, Nova announced the deal was off, citing perceived police involvement or a higher offer, and demanded more money, threatening to leak the data in 10 days. The organization had an existing web notice regarding the incident.
## Attack Methodology
- Initial Access: Ransomware attack (specific entry point unknown).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied by data exfiltration capabilities.
- Collection: Focus on patient data related to the cervical cancer screening program.
- Exfiltration: Data was exfiltrated to Nova’s dark web leak site.
- Impact: Potential public release of sensitive patient health information (PHI).
## Impact Assessment
- Financial: Initial ransom payment was made; potentially facing demands for a larger payment now.
- Data Breach: Data of 485,000 Dutch women in a cervical cancer screening program (Highly sensitive PHI).
- Operational: Clinical Diagnostics issued a public notice regarding the incident. Continued tension following the failed negotiation.
- Reputational: Significant reputational risk due to the handling and public nature of the ongoing negotiation dispute.
## Indicators of Compromise
- Network indicators: Mention of the gang’s dark web leak site (No specific defanged URLs provided in the text).
- File indicators: None specific to the attack noted.
- Behavioral indicators: Threat actor behavior shifting from standard negotiation to public dispute and renegotiation under threat of leak.
## Response Actions
- Containment: Not detailed, but data was exfiltrated prior to the immediate pressure points.
- Eradication: Not detailed.
- Recovery: The organization secured an initial payment resolution that later fell apart, requiring renegotiation or facing a data leak timeline.
## Lessons Learned
- Negotiating with RaaS/Extortion Groups is inherently risky: The initial payment did not guarantee data deletion or non-disclosure, as the group revoked the agreement.
- Clear communication failure: The threat actors’ public messaging regarding the breach termination reasons (police involvement vs. higher offer) suggests confusion or potential misinterpretation of the victim's actions.
- Importance of Law Enforcement engagement: Engaging law enforcement may have triggered the actors' decision to void the initial agreement.
## Recommendations
- Strengthen data protection and access controls to prevent future ransomware intrusions.
- Establish clear, documented protocols for engaging with threat actors versus law enforcement, acknowledging the risks inherent in paying ransoms.
- Ensure robust backups and recovery plans are tested frequently to minimize reliance on paying threat actors.