FBI warns US healthcare sector of targeted BlackCat ransomware attack

ReportFebruary 28, 2024Editorial DepartmentRansomware/Healthcare

The U.S. government is warning of a resurgence of BlackCat (also known as ALPHV) ransomware attacks targeting the healthcare industry this month.

“Of the nearly 70 breach victims since mid-December 2023, the healthcare industry is the most commonly affected,” the government said in its latest advisory.

“This may be in response to posts by ALPHV/BlackCat administrators encouraging affiliates to target hospitals after taking action against the organization and its infrastructure in early December 2023.”

The recommendation comes from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation uncovered a dark leak site for the BlackCat ransomware. But the takedown failed after the group managed to regain control of the sites and switched to a new TOR data exfiltration portal, which remains active to this day.

It has also stepped up its attacks on critical infrastructure organizations in recent weeks, claiming responsibility for attacks on Prudential Financial Group, LoanDepot, Trans-Northern Pipelines and UnitedHealth Group subsidiary Optum.

The development prompted the U.S. government to announce a financial reward of up to $15 million for information leading to the identification of key members of the electronic crime group and their affiliates.

BlackCat’s ransomware spree coincides with the return of LockBit, following a similar breach last week by the UK’s National Crime Agency (NCA).

Threat actors compromised Optum’s network by exploiting a recently disclosed critical security vulnerability in ConnectWise’s ScreenConnect remote desktop and access software, according to a report in SC Magazine.

These flaws allow for remote code execution on vulnerable systems and have been weaponized by the Black Basta and Bl00dy ransomware gangs and other threat actors to deliver Cobalt Strike Beacons, XWorm and even other remote management tool, and another ScreenConnect client.

Attack surface management company Censys said it observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with the majority located in the United States, Canada, the United Kingdom, Australia, Germany, France, India, the Netherlands, Turkey and Ireland.

“It’s clear that remote access software like ScreenConnect remains a primary target for threat actors,” said Censys security researcher Himaja Motheram.

The findings come as ransomware groups such as RansomHouse and Rhysida, as well as a Phobos variant called Backmydata, continue to compromise organizations in the United States, United Kingdom, Europe and the Middle East.

RansomHouse developed a custom tool called MrAgent for large-scale deployment of file-encrypting malware, indicating that these cybercriminal groups are moving towards more nuanced and sophisticated tactics.

“MrAgent is a binary file designed to run on [VMware ESXi] Hypervisor whose sole purpose is to automate and track the deployment of ransomware in large environments with a large number of hypervisor systems,” Trellix said. MrAgent details first exposure September 2023.

KELA said another important tactic used by some ransomware groups is to sell direct network access through their own blogs, Telegram channels or data exfiltration websites as a new method of monetization.

This follows the public release of a Linux-specific, C-based ransomware threat called Kryptina, which emerged on underground forums in December 2023 and has since been made available for free on BreachForums by its creator.

“The release of RaaS source code and the large number of files could have a significant impact on the spread and impact of ransomware attacks targeting Linux systems,” said Jim Walter, a researcher at SentinelOne.

“This may increase the attractiveness and availability of ransomware builders, attracting more low-skilled actors into the cybercriminal ecosystem. It also carries a significant risk of leading to the development of multiple derivative products and an increase in attacks.”