BlackCat, LockBit Hit Hospitals: Bold Claims, Vanishing Acts

In a world where technology and healthcare collide, a disturbing pattern has emerged: cyberattacks on hospitals in the United States are not only on the rise but becoming dangerously common. Each day seems to unveil another ominous headline detailing yet another institution falling victim to the clutches of cybercriminals. But what sets these recent cyberattacks on hospitals apart is not just their scale, but the audacity of those behind them. Enter the ALPHV BlackCat and LockBit ransomware groups.

These ransomware groups have boldly claimed responsibility for wreaking havoc on the healthcare sector, leaving a trail of corrupted systems and crippled services in their wake. Dominic Alvieri, a cybersecurity analyst, and security researcher detailed the significant damage caused by these ransomware groups. 

On February 27, Alvieri shared insights on the ALPHV BlackCat cyberattacks, which targeted numerous hospitals and pharmacies throughout the United States. However, the situation continued to escalate with each passing day.

Source: Dominic Alvieri

Change Healthcare, a vital component of the US healthcare sector and a division of UnitedHealth Group, suffered a breach in the second week of February. Subsequently, Alvieri’s tweet on February 28 disclosed that ALPHV BlackCat claimed responsibility for the cyberattack on UnitedHealth, implicating other significant entities including Medicare, MetLife, CVS Caremark, Loomis, HealthNet, and Teachers Health Trust. 

Source: Dominic Alvieri

Just when the dust seemed to settle, a twist emerged on February 29: ALPHV BlackCat seemingly withdrew its claim on UnitedHealth Group, leaving analysts and authorities baffled. However, the narrative does not end here; the LockBit ransomware group followed the same strategy.  

Initially, The Cyber Express reported LockBit’s claim of responsibility for the cyberattack on Fulton County. The group appeared to be consolidating its position, setting a menacing deadline of March 2, 2024, for the release of stolen data unless a ransom was met. However, on February 29, LockBit surprised observers by removing Fulton County, Georgia from their list of victims. 

Source: Dominic Alvieri

Moreover, LockBit’s credibility took a hit as EquiLend and Ernest Healthcare were swiftly deleted from their blog after claiming a cyberattack on them. This sudden change only adds to the intrigue surrounding these cyberattacks, raising more questions than answers about the motives and strategies of these nefarious groups. 

Now, the question arises: Are these hacktivist groups retracting their claims because the ransom has been paid by the victims, or are they attempting to showcase their resilience post-FBI intervention, suggesting that such attack disruptions don’t impact them, thereby garnering attention by initially claiming responsibility only to retract later? Moreover, why are these ransomware groups specifically targeting hospitals in the US?  

These questions linger like an ominous cloud over the healthcare landscape, demanding answers that could shape the future of cybersecurity and patient safety. 

Let’s dive deep and try to find answers to some of these questions and understand the tactics, motives, and potential consequences of these brazen cyberattacks on the very heart of our healthcare infrastructure. 

The Growing Threat of Cyberattacks in US Healthcare 

The cybersecurity situation in healthcare has gotten increasingly dangerous, with ransomware and hacking emerging as major concerns. Over the past five years, statistics reveal a staggering 256% surge in large breaches involving hacking and a 264% uptick in ransomware incidents reported to the Office for Civil Rights (OCR). In 2023 alone, hacking accounted for a staggering 79% of the large breaches reported to OCR, impacting over 134 million individuals—a harrowing 141% increase from the previous year. 

The year 2024 has barely begun, yet the US healthcare fraternity has already been rocked by major cyberattacks of significant magnitude. February saw the prestigious Ann & Robert H. Lurie Children’s Hospital of Chicago, a cornerstone of pediatric care in the nation, falling victim to a ransomware attack.

The hospital was compelled to take its communication channels, including phone lines and emails, as well as medical record systems, offline in response. The gravity of the situation has prompted an investigation by the Federal Bureau of Investigation (FBI) to ascertain the extent and implications of the breach. 

Shortly thereafter, Change Healthcare, a prominent healthcare technology provider in the US, disclosed a cyberattack on its systems, triggering widespread disruptions across the country’s healthcare services. The company issued a statement acknowledging a network interruption stemming from a cybersecurity issue, raising concerns about the resilience of critical healthcare infrastructure to such threats. 

Adding to the growing list of cybersecurity setbacks in the healthcare sector, Cencora Inc., formerly known as AmerisourceBergen, a key player in the American pharmaceutical wholesale industry, revealed a significant breach in its information systems. Discovered on February 21, 2024, this unauthorized access incident has underscored the vulnerability of healthcare networks, amplifying fears regarding the potential exposure of sensitive personal data. 

These episodes are not isolated occurrences, but rather part of a concerning pattern that has afflicted the healthcare business. In November 2023, a ransomware attack hit a healthcare network that operates 30 hospitals and 200 health facilities in the United States, requiring emergency room diversions and surgery postponements.  

Additionally, a rural Illinois hospital was forced to permanently close its doors due to a financial disaster caused by a hack. The gravity of these breaches was amplified when hackers boldly shared images and patient information from a Pennsylvania health network exposed in a prior cyberattack, demonstrating the vulnerability and fragility of patient data security in the digital age. 

How Do We Confirm the Link? 

The recent surge in cyberattacks linked to the BlackCat (ALPHV) ransomware gang has underscored the critical importance of addressing vulnerabilities promptly and proactively. One such indicator of compromise is the exploitation of a critical ScreenConnect authentication bypass flaw, identified as CVE-2024-1708 and CVE-2024-1709. These vulnerabilities have been actively leveraged by threat actors to deploy ransomware on unpatched servers, posing significant risks to organizations’ cybersecurity posture. 

ConnectWise, the provider of ScreenConnect software, has issued urgent warnings to its customers, urging them to swiftly patch their servers against these vulnerabilities. The severity of the flaw lies in its potential for remote code execution (RCE) attacks, enabled by an authentication bypass weakness.  

Exploiting this vulnerability grants attackers unauthorized access to sensitive data or the ability to execute arbitrary code remotely, with low-complexity attacks that bypass the need for user interaction. Additionally, ConnectWise has addressed a path traversal vulnerability in its remote desktop software, posing a threat only to systems with elevated privileges. 

The exploitation of these vulnerabilities has seen a diverse array of threat actors taking advantage, resulting in a wide range of secondary malware payloads observed by security experts. From coin miners to LockBit ransomware, the ramifications of these attacks have been far-reaching and devastating. RedSense, a cybersecurity firm, anticipates a significant escalation in exploitation activities around these vulnerabilities, warning of a heavy flow of victims falling prey to ongoing attacks. 

Amidst these developments, concerns have been raised about the increasing exploitation of legitimate remote monitoring and management (RMM) software for malicious purposes. A joint advisory issued by CISA, the NSA, and MS-ISAC highlights the rising trend of attackers leveraging tools like ConnectWise ScreenConnect for nefarious activities, posing formidable challenges to cybersecurity defenders. 

Although UnitedHealth Group VP Tyler Mason refrained from explicitly attributing the recent attack to BlackCat, the implementation of new electronic claim processes by 90% of affected pharmacies underscores the urgency and severity of the situation. These developments serve as a clarion call for organizations to bolster their cybersecurity defenses, prioritize patch management, and remain vigilant against evolving threats in an increasingly hostile digital landscape. 

But Why US Healthcare is a Prime Target for Cybercriminals 

The US healthcare sector stands as a prime target for cybercriminals, driven by a confluence of factors that make it uniquely vulnerable to malicious attacks. Under the stringent regulations of the HIPAA privacy rule, even the encryption of PHI (Protected Health Information) in a ransomware attack constitutes a notifiable violation, highlighting the gravity of cybersecurity breaches in this domain. 

According to Dave Henderson, Sales Manager at 2 Dog Digital LinkedIn post, as businesses increasingly fortify themselves against ransomware by adopting offline backups, cybercriminals are adapting novel tactics to maximize their gains. One such approach is the emergence of double-threat ransomware, where hackers not only encrypt healthcare data but also make illicit copies for themselves.  

This puts targeted organizations in a precarious position, facing demands for payment for decryption keys alongside threats of data disclosure if ransom demands are unmet. The evolution doesn’t stop there, with the advent of triple-threat ransomware introducing a new level of complexity. In this scenario, both the organization and its patients receive ransom notes, compounding the urgency and pressure to comply with demands. 

Furthermore, insights shared by Nitish Srivastava, Cloud Security Analyst at Birlasoft on LinkedIn, shed light on the myriad challenges inherent in healthcare cybersecurity. The sensitive nature of medical data, containing highly personal and confidential information, renders it a lucrative prize for cybercriminals scouring the dark web.

Compounding this vulnerability is the prevalence of legacy systems within healthcare institutions, often outdated and susceptible to exploitation. The proliferation of interconnected devices, fueled by the adoption of IoT (Internet of Things) technologies, further widens the attack surface, leaving healthcare networks exposed to infiltration and compromise. 

Regulatory compliance adds another layer of complexity, with healthcare providers mandated to adhere to stringent regulations like HIPAA in the US. Compliance requirements necessitate robust security measures to safeguard patient data, adding to the burden faced by healthcare organizations striving to uphold the integrity and confidentiality of sensitive information. 

In essence, the healthcare industry grapples with a multitude of challenges in fortifying its digital infrastructure and preserving the sanctity of patient data.  

Rashika Mandal, VP Vertus Enterprises Inc. further shared on LinkedIn that ransomware attacks loom large, posing a significant threat not only to patient care but also to the operational continuity of healthcare systems. Securing critical infrastructure remains an ongoing battle, as healthcare organizations navigate the intricate landscape of cybersecurity in an ever-evolving digital age. 

How the Cyberattacks on Healthcare Threatens Lives

The ALPV/Blackcat group’s cyberattack against Changehealthcare has far-reaching ramifications, particularly for public health and mortality statistics. This incident shines emphasis on the real and concrete impacts of cyberattacks on the healthcare industry, which is frequently under-discussed. Reyben T. Cortes, Microsoft Cybersecurity Scholarship recruiter, emphasizes the urgency of recognizing the severe impacts of such attacks on human lives in his LinkedIn post.

“The ALPV/Blackcat group’s pre-meditated attack on Changehealthcare is impacting health! It’s about damn time to bring to light the direct impacts of mortality rates on Cyberattacks against the healthcare sector, there is not enough discussion on this and it pains me to see the same words of pain from patients and victims who were at St. Laurie Sick Children Hospital which we later learned came from Rhysida! There is a lot to unpack here and LinkedIn couldn’t even handle 20 more,” reads the LinkedIn post of Cortes.

By analyzing data from various sources, including Reddit discussions and leaked emails, it becomes evident that the attack has caused widespread disruptions in healthcare services, particularly in prescription processing. Patients across different regions, from healthcare forums to local subreddits, report difficulties in accessing essential medications, with some forced to seek emergency care due to the unavailability of crucial treatments like insulin and blood pressure medications.

The outage not only jeopardizes the health of individuals but also poses life-threatening situations, as evidenced by cases where patients fear for their lives due to the inability to obtain necessary medications or treatments.

Furthermore, leaked emails indicating the prolonged duration of the outage exacerbate the situation, with patients facing the prospect of enduring weeks without access to vital healthcare services. The severity of the situation prompts discussions on potential solutions, such as donating unexpired insulin to mitigate the impact on affected individuals.

Cortes highlights the urgency of addressing cybersecurity vulnerabilities in the healthcare sector, emphasizing the need for proactive measures to prevent such cyberattacks on hospitals and mitigate their consequences.

The Change Healthcare cyberattack serves as a wake-up call, highlighting the pressing need for improved cybersecurity infrastructure and preparedness within the healthcare industry. Ignoring the reality of cyber threats in healthcare only perpetuates the vulnerability of individuals and healthcare systems, highlighting the importance of taking decisive action to safeguard public health and well-being.

What Government is Doing to Curb This? 

In response to the escalating threat posed by ransomware attacks, the US government has initiated multifaceted efforts aimed at dismantling criminal operations and bolstering cybersecurity resilience across critical sectors.  

One such initiative is the FBI Reward Program, a collaborative effort between the US Department of State, Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI), offering rewards of up to $15 million to individuals providing actionable information leading to the identification, location, arrest, and/or conviction of those involved in the ALPHV BlackCat ransomware group’s operations. 

Additionally, in a concerted endeavor to confront the evolving ransomware landscape, the Cybersecurity and Infrastructure Security Agency (CISA) partnered with the FBI and the Department of Health and Human Services (HHS) to release a comprehensive update to the joint advisory, #StopRansomware: ALPHV Blackcat. This updated advisory equips network defenders with vital insights, new indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs) associated with the nefarious ALPHV Blackcat ransomware-as-a-service (RaaS) operation. 

The heightened targeting of critical infrastructure sectors, notably healthcare institutions, by the ALPHV Blackcat ransomware campaign highlights the urgency for vigorous mitigation strategies. Consequently, the advisory delineates comprehensive mitigation measures tailored to critical infrastructure organizations. These measures include securing remote access tools, implementing robust multifactor authentication (MFA) mechanisms, and conducting regular user training exercises to enhance awareness of social engineering and phishing threats. 

Moreover, to address the cybersecurity challenges faced by small and local organizations lacking adequate resources, CISA has spearheaded an innovative approach through University Cybersecurity Clinics. These clinics harness the talents of students from diverse academic backgrounds, training them to fortify the digital defenses of non-profits, hospitals, municipalities, small businesses, and other under-resourced entities.  

Source: Twitter

For instance, the Consortium of Cybersecurity Clinics, co-chaired by the Center for Long-Term Cybersecurity and the MIT Cybersecurity Clinic, coordinates efforts across over a dozen university clinics nationwide. This collaborative consortium serves as a platform for knowledge sharing, capacity building, and advocacy, facilitating the establishment of cybersecurity clinics and fostering a robust talent pipeline for cyber civil defense. 

LockBit, BlackCat Remain a Challenge Despite Law Enforcement Efforts 

Despite concerted efforts by government bodies, ransomware groups continue to pose formidable challenges to law enforcement and cybersecurity agencies worldwide. Following the release of the comprehensive joint advisory by CISA, HHS, and FBI, the ALPHV BlackCat ransomware group wasted no time in claiming new victims, further highlighting their audacious and persistent nature.

Verbraucherzentrale Hessen, a consumer advice center in Germany, and Electro Marteix, SL, a company based in Spain, were among the latest targets of the nefarious group. 

The cyberattack on Verbraucherzentrale Hessen, as confirmed by officials, highlights the severity of the threat posed by ransomware groups. However, the consumer advice center’s reluctance to disclose the identity of the ransomware group responsible adds layers of uncertainty to the situation, leaving questions unanswered.  

Conversely, while no signs of foul play were evident on Electro Marteix, SL’s website, doubts arise regarding ALPHV ransomware’s claim of targeting the Spanish company. Despite the lack of evidence, the confirmed cyberattack at Verbraucherzentrale Hessen casts skepticism on the veracity of the ransomware group’s assertions. 

In a global effort to combat ransomware, the FBI, along with international law enforcement agencies from the United Kingdom, Australia, Germany, Spain, and Denmark, initiated a disruption campaign against the ALPHV BlackCat operators. However, the group’s resilience was evident when, less than 24 hours after the FBI announced the seizure of their leak site, they asserted reestablishing control, accompanied by a menacing message directed at the FBI. 

A similar pattern emerged with the LockBit ransomware group, where the Department of Justice, in collaboration with international law enforcement agencies, announced the disruption of their operations. Despite this setback, LockBit 4.0 swiftly returned, listing 12 new victims on their data leak page and engaging in discussions about the seizure of their websites. The group’s detailed response sheds light on their motivations, failures in keeping systems up-to-date, and speculations about their compromise methods and the reasons behind law enforcement’s actions. 

The striking similarities in the patterns observed among ransomware groups raise questions about potential collaboration and coordination in future cyberattacks. Whether these occurrences are mere coincidence or indicative of a more sinister collaboration remains a subject of speculation.

Nonetheless, the persistence and audacity exhibited by ransomware groups underscore the urgent need for enhanced cybersecurity measures and international cooperation to mitigate the evolving threat landscape posed by cybercriminals. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button