Multinational healthcare organization Keralty suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries.

Keralty is a Colombian healthcare provider that operates an international network of 12 hospitals and 371 medical centers in Latin America, Spain, the United States and Asia. The group employs 24,000 people and 10,000 doctors who provide care to more than 6 million patients.

The Company offers other healthcare services through its subsidiaries, Colsanitas, Sanitas USA and EPS Sanitas.

Cyberattack disrupts Keralty operations

Over the past few days, Keralty and its subsidiaries, EPS Sanitas and Colsanitas, have experienced disruptions to their IT operations, medical appointment scheduling and websites.

Computer outages have impacted Colombia’s health system, with local media reports that patients have been queuing for more than twelve hours for treatment and that some patients are fainting due to lack of medical care.

On Monday, Keralty said it was suffering from technical issues but did not reveal the cause.

However, Keralty released another statement yesterday confirming that the disruption was caused by a cyberattack on their network, causing technical failures in their IT systems.

“The computer servers of the companies of the Keralty group were the subject of a cyberattack, which generated technical failures in our systems,” reads a translated statement from Keralty.

“Since the moment it was identified, we have been working around the clock, both from the technology team and the medical and administrative team, to ensure continuity of care for our members.”

“Also, from the beginning, this situation was brought to the attention of the competent authorities and the corresponding criminal investigation was opened. In order to maintain the attention on our users, from Keralty We continue to implement the plans emergencies necessary to maintain service.”

BleepingComputer has attempted to contact the Keralty Group with questions about the attack, but has not received a response at this time.

RansomHouse behind the attack

As reported for the first time by Camilo Andrés García today, a Twitter user named Alexánder tweeted a screenshot of a VMware ESXi server with a ransom note displaying “Dear Keralty”, stating that the healthcare company suffered a ransomware attack.

BleepingComputer has identified this ransom note as belonging to the How RansomHouse ransomware workswhich originally called its ransomware ‘White Rabbit.’

During their attacks on eight municipalities in Italy, the threat actors changed the name to “Mario” in tribute to the Italian hero of the game Super Marios Bros.

This new encryptor will encrypt Windows and Linux devices and append “.mario” extension to encrypted files while dropping ransom notes named “How to restore your .txt files”.

After seeing this tweet, BleepingComputer has since independently confirmed from a source that RansomHouse was behind the attack on Keralty.

RansomHouse threat actors further told BleepingComputer that they were behind an attack on November 27 and claimed to have stolen 3TB of data.

BleepingComputer was unable to confirm claims that data, if any, was stolen.

RansomHouse previously said it carried out data theft attacks on AMD and ADATA.

However, ADATA denied being attacked by RansomHouse and said the leaked data came from a previous RagnarLocker ransomware attack in 2021.