A Russia-based hacker group has claimed a Japanese hospital paid $30,000 to regain access to electronic medical records that were encrypted in a ransomware attack last October, causing major disruption to the medical institution's operations.

The town of Tsurugi, Tokushima Prefecture, which runs the targeted Handa Hospital, has denied paying ransom money, and experts suspect that an IT firm involved in attempts to restore access to the records secretly reached a deal with the hackers.

Japanese police have been urging those targeted in ransomware attacks to not pay money demanded of them.

Photo shows Handa Hospital in Tsurugi, Tokushima Prefecture, on May 20, 2022. (Kyodo)

A senior member of the hacker group, LockBit 3.0, said it received a bitcoin payment on Nov. 21 last year after holding talks with a representative of the hospital via a special website. The group originally demanded $60,000 but the amount was negotiated down to half that amount, the person said.

Shigeru Kanenishi, the mayor of Tsurugi, said, "As we understand it, the town has not paid ransom money."

The town paid 70 million yen ($472,000) to an IT firm in Tokyo to probe the attack and attempt to restore the encrypted data.

The firm has declined to comment on the case, citing a confidentiality agreement, but it said it generally does not directly negotiate with hacker groups. It may use data restoration programs if they can be obtained, it said.

At the time of the Oct. 31 attack, Handa Hospital refused to pay the ransom, saying it will instead build a new electronic medical record system at a cost of 200 million yen.

The hospital confirmed in January it regained access to the original system, saving it from having to build another, and it resumed regular medical examinations across all departments after two months of disruptions.

An expert panel investigating the case concluded in a report in June that the IT business operator is highly likely to have obtained a data restoration program somehow.

"I can only think that the IT business operator had negotiated with the group," said a panel source.

A National Police Agency official in charge of cyberattacks warned against entities paying ransom money, saying, "Not only does it promote cybercrime, there is no guarantee the data will be restored even after making payments."

Ransomware attacks are on the rise in Japan. Last month, the agency reported that Japanese entities suffered 114 damage-causing attacks in the first half of this year, up 87 percent from a year earlier.

Of the reported ransomware cases, 59 targeted small to medium-sized companies and 36 were large corporations. They included 37 manufacturers, 20 service providers and five hospitals, according to the agency.

Related coverage:

Pro-Russia hacker group stops cyberattacks on Japan due to money woes

Japan sees 87% increase in ransomware attacks in 1st half of 2022

Japan metro websites hit, apparently by pro-Russia hacker group