The nonprofit health system Christus Health based in Irving, TX operates over 600 healthcare establishments in Arkansas, Texas, New Mexico, and Louisiana. It has been reported recently that it discovered suspicious activity with its computer systems and obstructed a cyberattack attempt. The quick action undertaken by the Christus IT staff significantly restricted the extent of the attack and kept the incident from affecting its patient care and healthcare treatments. Christus Health stated it is using the services of third-party cybersecurity specialists to investigate and find out the scope of the data security breach.
A comparatively new ransomware threat gang known as AvosLocker has professed to do the attack. AvosLocker works using a ransomware-as-a-service (RaaS) model and was initially discovered in July 2021. The threat gang participates in double extortion tactics and is identified to exfiltrate information before file encryption, then threatens the victims to sell the stolen information in case the ransom isn’t paid.
The number of attacks performed by Avosocker was gradually increasing. According to information from Trend Micro, the group conducted about 30 attacks in January 2022, and 37 attacks in February 2022. The group is recognized to take advantage of unpatched vulnerabilities to obtain access to victim systems and is noted to employ compromised VPN and RDP credentials. The area of the RaaS operation is unknown, however, it is likely that they are from Russia or a Post-Soviet state given that the group doesn’t allow cyberattacks in those nations. A joint cybersecurity alert was released in March 2022 by the Federal Bureau of Investigation and the Department of the Treasury which presented Indicators of Compromise related to AvosLocker.
Avoslocker is attacking critical infrastructure entities based in the U.S., which include healthcare companies. One of the group’s latest victims was McKenzie Health System based in Michigan, which was attacked in March 2022. The protected health information (PHI) of 25,318 individuals was possibly stolen during the attack. A portion of the PHI was purportedly published on the dark web leak site of AvosLocker.
AvosLocker has published a portion of information to its dark web leak site that was purportedly stolen during the attack on Christus Health. During this period, the scope of the affected patient data is still unknown.