Feds Alerts Healthcare Industry Concerning ALPHV/Blackcat Ransomware Group
A joint cybersecurity notification was given by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) concerning known Indicators of Compromise (IoCs) and the most recent Tactic, Techniques, and Procedures (TTPs) utilized by the ALPHV/Blackcat ransomware group.
In December 2023, the U.S. Department of Justice (DoJ) stated that it had interrupted the operations of the ALPHV/Blackcat ransomware group. An FBI agent acted as an affiliate, acquired access to the computer network of the ransomware group, and seized several websites managed by the group.
About 900 public/private key pairs were obtained which permitted a decryption tool to be created to enable those victims to retrieve their files. In hours of the DOJ announcement, a representative for the group mentioned it had unseized the websites and threatened retaliation. As per the group, the limitations that were set for affiliates had been taken out. Hospitals, nuclear power plants, and anything else can be attacked. The only rule that continued was the limit on attacks within the Commonwealth of Independent States (CIS).
As per the cybersecurity advisory, it seems that hospitals have been the primary focus for the group. From December 2023, ALPHV/Blackcat included the data of 70 victims on its data leak site and the healthcare industry has been the most targeted. Although the advisory does not reference particular healthcare victims, the newest is Change Healthcare. ALPHV/Blackcat states it has stolen 6TB of information in the attack, which includes information from all of its clients: CVS Caremark, Medicare, Health Net, and Tricare. Change Healthcare was quickly added to the group’s data leak website after the release of the cybersecurity alert.
The notification mentions that ALPHV/Blackcat affiliates frequently act as IT specialists or helpdesk personnel to steal workers’ credentials to acquire initial access to healthcare systems. The group additionally acquires preliminary access through phishing, utilizing the Evilginx phishing kit to swipe multifactor authentication codes, session cookies, and login credentials. They set up legitimate remote access and tunneling software programs like AnyDesk Mega sync, and Splashtop to get ready for data extraction, tunneling tools such as Plink and Ngrok, and Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. Affiliates go laterally to compromise networks and utilize programs such as Metasploit to avoid detection.
Though a lot of ALPHV/Blackcat affiliates take part in double extortion, some decide not to encrypt files and just steal information, then threaten to expose that data in case a ransom is not paid. This strategy ensures faster attacks with less possibility of identification. The advisory shares the most recent MITRE ATT&CK tactics and techniques, IoCs, incident response suggestions, and mitigations for enhancing cybersecurity posture, such as phishing-resistant multifactor authentication (FIDO/WebAuthn authentication or public key infrastructure (PKI)-based MFA).
ALPHV/Blackcat Ransomware Attack on Grace Lutheran Communities
Grace Lutheran Communities located in Wisconsin offers rehabilitation services, assisted living, independent living, and skilled nursing. It reported encountering a ransomware attack, which was discovered on January 22, 2024. Although the investigation is not yet over, Grace Lutheran Communities has reported the loss of patient information was stolen including names, addresses, health insurance details, and Social Security numbers.
On February 17, 2024, Grace Lutheran Communities found that the ALPHV/Blackcat ransomware gang had posted some of the stolen data on its data leak site. Grace Lutheran Communities stated it is determined to protect the privacy and security of patient records and is improving network security to stop similar attacks later on. Grace Lutheran Communities still has no confirmed number of affected individuals.
Ransomware Attack on Washington County Hospital and Nursing Home
Washington County Hospital and Nursing Home has informed 31,125 persons regarding a December cyberattack that made it possible for an unauthorized third party to access their sensitive information. On December 24, 2023, there was a network issue that made internal systems inaccessible. A third-party cybersecurity organization helped to protect its systems and performed a forensic investigation. There was evidence found of unauthorized access to records that contain patient PHI. Those files were tax forms and Social Security numbers (SSNs); nevertheless, no report was obtained of any actual or attempted identity theft or fraud resulting from the data breach.
Washington County Hospital and Nursing Home has enhanced its security protocols and is providing the impacted people with complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Score services/Single Bureau Credit Report.
Cyberattack on Bay Area Anesthesia’s Business Associate
Bay Area Anesthesia based in Clearwater, FL is affected by a data security incident at Bowden Barlow Law, a former business associate. The law company recognized suspicious activity inside its system and the investigation showed that an unauthorized third party accessed the system between November 17, 2023 to December 1, 2023. During that time, files were exfiltrated from its network that including the PHI of 15,196 persons. Bay Area Anesthesia has advised the impacted individuals and has provided them with free credit monitoring and identity theft protection services for a year.
Cardiothoracic and Vascular Surgeons December Data Breach
Cardiothoracic and Vascular Surgeons located in Austin, TX reported that unauthorized people viewed its system from October 12, 2023 and October 13, 2023, and extracted files that contain patient data. An analysis of the affected files was finished on January 22, 2024, and showed that the PHI of 2,345 persons was present in those files, such as names, driver’s licenses, and/or government-issued IDs. Notifications were released to the people on February 16, 2024, and credit monitoring and identity theft protection services.