The FBI, CISA, and the U.S. Department of Health and Human Services (HHS) have warned healthcare organizations of targeted ALPHV/BlackCat ransomware attacks.
Between November 2021 and September 2023, the group had victimized over 1,000 organizations and received over $300 million in ransom payments. However, out of 70 victims posted since mid-December 2023, hospitals were the “most commonly” affected.
The agencies advised network defenders to study ALPHV/BlackCat’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) to better protect their organizations.
ALPHV BlackCat ransomware updated tactics
The joint advisory follows others published on April 19, 2022, and December 19, 2023, and lists the ransomware group’s updated TTPs and IoCs.
Notably, the agencies observed ALPHV/BlackCat ransomware improvising communication by “creating victim-specific emails to notify of the initial compromise.”
Additionally, ALPHV/BlackCat has adopted advanced social engineering and remote access tools like AnyDesk, Mega sync, ScreenConnect, and Splashtop to target victims, including healthcare organizations.
First Health Advisory and RedSense security experts suggested that BlackCat ransomware exploited the remote connection tool ConnectWise ScreenConnect vulnerability in the Change Healthcare data breach.
However, UnitedHealth Group attributed the Change Healthcare cyber attack to a nation-state actor, while LockBit claimed responsibility. ALPHV/BlackCat also denied exploiting ConnectWise ScreenConnect vulnerabilities in the Optus data breach.
The agencies also listed numerous tools in ALPHV/BlackCat’s arsenal designed to terminate antivirus software to enable the ransomware group to operate undetected.
Other noteworthy observations include the group leveraging the adversary-in-the-middle (AitM) attack framework Evilginx2 to obtain multifactor authentication keys, login credentials, and session cookies.
Similarly, some ALPHV Blackcat affiliates have resorted to extortion without encryption by deleting user data after exfiltration without deploying ransomware.
The gang also upgraded its encryption tool to the ALPHV Blackcat Ransomware 2.0 Sphynx, capable of encrypting both Windows and Linux devices, and VMWare instances, and with better evasion capabilities.
ALPHV/BlackCat steps up ransomware attacks on healthcare organizations
FBI, CISA, and HHS say they observed ALPHV/BlackCat ransomware increasingly targeting hospitals, likely in retaliation to the law enforcement takeover of its infrastructure.
During that operation, the FBI seized the prolific ransomware-as-a-service (RaaS) group’s infrastructure and accessed the affiliate dashboard. However, the group “unseized” its servers, migrated to Tor data leak sites, and lifted restrictions on attacking critical infrastructure, including healthcare organizations.
The joint advisory noted that healthcare organizations dominated the list of victims posted on the ALPHV BlackCat ransomware group’s data leak site after the botched takeover.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the advisory noted. “This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”
Apart from the ALPHV/BlackCat ransomware group, other ransomware groups frequently target healthcare organizations because of the vast troves of sensitive data they hold and the impacts that disruption could cause.
“The healthcare industry has proven an irresistible target when it comes to ransomware, with publicized attacks in 2023 seeing a 134% increase over the previous year,” said Darren Williams, CEO and Founder of BlackFog.
Apart from the staggering cost of healthcare data breaches, ransomware attacks on hospitals also endanger patients’ lives.
“Ransomware attacks against U.S. healthcare providers cost nearly $80 billion over the past seven years, with 539 reported attacks impacting 10,000 hospitals and clinics with over 52 million records compromised,” said Jon Miller, CEO & Co-founder, Halcyon. “While the financial losses are staggering, it’s the impact on patient care that is even more concerning.”
