In the latest advisory, the U.S. government has alerted the healthcare industry to the escalating threat of BlackCat ransomware (also recognized as ALPHV) attacks. This month, concerns have heightened as the frequency of these cyber strikes has notably increased.
According to a new government warning, the healthcare sector has become a prime target for data breaches, with nearly 70 incidents reported since mid-December 2023.
“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”
The warning, issued by key government agencies such as the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA), underscores the seriousness of the situation.
The BlackCat ransomware operation suffered a significant setback in late last year when law enforcement agencies collaborated to take down its dark leak sites. However, the takedown effort proved ineffective as the group swiftly regained control of the sites, transforming them into a new TOR data leak page that remains operational to this day.
In recent weeks, BlackCat has intensified its activities targeting companies safeguarding critical infrastructure. It has claimed responsibility for attacks on notable entities, including Prudential Financial, LoanDepot, Trans-Northern Pipelines, and Optum, a subsidiary of UnitedHealth Group.
In response to these developments, the U.S. government has announced rewards of up to $15 million for actionable intelligence, leading to the apprehension of key figures and affiliates of the cybercriminal syndicate.
Concurrently, while BlackCat continues to propagate ransomware attacks, LockBit has resurfaced following its recent shutdown by the U.K. National Crime Agency (NCA).
According to a report by SC Magazine, hackers infiltrated Optum’s network by exploiting significant security vulnerabilities discovered in ConnectWise’s ScreenConnect remote desktop and access software.
The identified vulnerabilities enable threat actors to execute remote code on susceptible systems. Exploiting these flaws, the Black Basta and Bl00dy ransomware groups, among others, have utilized Cobalt Strike Beacons, XWorm, and various remote management tools such as Atera, Syncro, and other ScreenConnect clients for propagation.
As of February 27, 2024, Censys, an attack surface management company, observed approximately 3,400 potentially vulnerable ScreenConnect hosts online. Predominantly located in the United States, Canada, the United Kingdom, Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.
A security researcher at Censys called Himaja Motheram said, “It’s clear that threat actors are still after remote access software like ScreenConnect.”
The findings coincide with the heightened activities of ransomware groups such as RansomHouse, Rhysida, and a variant of Phobos known as Backmydata, targeting businesses across the US, UK, Europe, and the Middle East.
RansomHouse has developed a specialized tool called MrAgent to facilitate the widespread encryption of files, signalling these cybercriminal factions’ adoption of more sophisticated and covert tactics.
“MrAgent is a binary designed to run on [VMware ESXi] hypervisors, with the sole purpose of automating and tracking the deployment of ransomware across large environments with a high number of hypervisor systems,” explained Trellix. Details regarding MrAgent were initially disclosed in September 2023.
KELA noted that an emerging trend among ransomware groups is the direct sale of network access, representing a novel revenue stream advertised on their blogs, Telegram channels, and data leak websites.
This development follows the public emergence of Kryptina, a Linux-specific C-based ransomware threat initially surfacing on underground forums in December 2023. Subsequently, the creator has made it freely accessible on BreachForums.
“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems,” Jim Walter, from SentinelOne, said.
“It’s likely to make the ransomware builder more appealing and easy to use, bringing in even more people with little or no computer skills.” This also comes with a big chance that it will cause many other problems and make strikes more common.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.