The Week In Ransomware March 1st 2024 Healthcare Under Siege
Ransomware attacks on healthcare over the last few months have been relentless, with numerous ransomware operations targeting hospitals and medical services, causing disruption to patient care and access to prescription drugs in the USA.
The most impactful attack of 2024 so far is the attack on UnitedHealth Group’s subsidiary Change Healthcare, which has had significant consequences for the US healthcare system. This attack was later linked to the BlackCat ransomware operation, with UnitedHealth also confirming the group was behind the attack.
Change Healthcare is an electronic payment exchange service used by doctors, pharmacists, and hospitals to submit billing claims in the US healthcare system.
The attack has caused significant disruptions in Change Healthcare’s services, significantly impacting pharmacies that cannot bill customers picking up prescription medicines.
This disruption has trickled down to patients, who, in some cases, are forced to pay full price for their medications until the issue is resolved. However, some medicines can cost thousands of dollars, making it difficult for many to afford the payments.
To make matters worse, the BlackCat ransomware operation, aka ALPHV, claims to have stolen 6TB of data from Change Healthcare during the attack, containing the personal information of millions of people.
The attack has led the FBI, CISA, and the HHS to issue a joint advisory warning of BlackCat attacks on hospitals.
“The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a U.S. health care organization,” warned Rick Pollack, President and CEO, American Hospital Association (AHA).
“We will continue discussions with UnitedHealth Group and the federal government about these efforts as a prolonged disruption of Change Healthcare’s systems could mean that some hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.” – AHA’s Rick Pollack.
Another ransomware operation known as Rhysida, also known for its attacks on healthcare, has sunk to a new low by trying to sell the stolen patient data from Lurie Children’s Hospital in Chicago.
Another ransomware known for targeting healthcare is Lockbit, which was hit with a law enforcement operation last week called Operation Cronos that allowed law enforcement to seize servers, data, and decryptors.
However, LockBit has returned with new infrastructure and servers, promising to increase security and prevent such a massive takedown again.
Unfortunately, BleepingComputer has already seen signs that some affiliates are actively conducting attacks, but it appears to be at a diminished capacity compared to before the law enforcement operation.
Even still, many believe LockBit will shut down soon after having its reputation tarnished and losing trust in the cybercrime community.
In other news, an extortion group called Mogilevich claims to have breached Epic Games and stolen 189 GB of data, including source code. Epic Games, though, told BleepingComputer that there is “zero evidence” that they were breached in an attack.
Finally, more ransomware gangs have jumped on the ScreenConnect RCE vulnerability exploitation train, including Black Basta and the Bl00dy ransomware gang.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Ionut_Ilascu, @Seifreed, @serghei, @fwosar, @BleepinComputer, @malwrhunterteam,@billtoulas, @LawrenceAbrams, @Threatlabz, @DarkWebInformer, @CISAgov, @TrendMicro, @Shadowserver, @a_greenberg, @BrettCallow, @Jon__DiMaggio, @CrowdStrike, @H4ckManac, @RobWright22, @ValeryMarchive, and @pcrisk
February 25th 2024
LockBit ransomware returns, restores servers after police disruption
The LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked their servers, and is threatening to focus more of their attacks on the government sector.
February 26th 2024
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
A cyberattack on UnitedHealth Group subsidiary Optum that led to an ongoing outage impacting the Change Healthcare payment exchange platform was linked to the BlackCat ransomware group by sources familiar with the investigation.
Ransomware Roundup – Abyss Locker
This edition of the Ransomware Roundup covers the Abyss Locker (AbyssLocker) ransomware.
February 27th 2024
FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks.
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
The Black Basta and Bl00dy ransomware gangs have joined widespread attacks targeting ScreenConnect servers unpatched against a maximum severity authentication bypass vulnerability.
Hessen Consumer Center says systems encrypted by ransomware
The Hessen Consumer Center in Germany has been hit with a ransomware attack, causing IT systems to shut down and temporarily disrupting its availability.
New Mallox ransomware variant
PCrisk found a new Mallox ransomware variant that appends the .ma1x0 extension and drops a ransom note named HOW TO RESTORE FILES.txt.
February 28th 2024
Epic Games: “Zero evidence” we were hacked by Mogilevich gang
Epic Games said they found zero evidence of a cyberattack or data theft after the Mogilevich extortion group claimed to have breached the company’s servers.
LockBit ransomware returns to attacks with new encryptors, servers
The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last week’s law enforcement disruption.
Ransomware gang claims they stole 6TB of Change Healthcare data
The BlackCat/ALPHV ransomware gang has officially claimed responsibility for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage affecting the Change Healthcare platform.
Rhysida ransomware wants $3.6 million for children’s stolen data
The Rhysida ransomware gang has claimed the cyberattack on Lurie Children’s Hospital in Chicago at the start of the month.
February 29th 2024
StopRansomware: Phobos Ransomware
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars
The Mysterious Case of the Missing Trump Trial Ransomware Leak
This week, the notorious ransomware gang known as LockBit threatened a kind of disruption that would have been a first even for a criminal industry that has crippled hospitals and triggered the shutdown of a gas pipeline: leaking documents from the criminal prosecution of a former president and presidential candidate.
Then, without explanation, that threat evaporated, leaving plenty of unanswered questions behind.
New Frea Ransomware
PCrisk found a new ransomware that appends the .frea extension and drops a ransom note named oku.txt.
March 1st 2024
The Anatomy of an ALPHA SPIDER Ransomware Attack
Alphv ransomware-as-a-service, which first emerged in December 2021, is notable for being the first written in the Rust programming language. The Alphv RaaS offers a number of features designed to attract sophisticated affiliates, including ransomware variants targeting multiple operating systems; a highly customizable variant that rebuilds itself every hour to evade antivirus tooling; a searchable database on a clear web domain and the adversary’s dedicated leak site (DLS), which enables visitors to search for leaked data; and a Bitcoin mixer integrated to affiliate panels.
Unisys: source code “exfiltrated” during a cyberattack in 2022
For less than an hour, in early August 2022, Alphv/BlackCat claimed to have stolen source code from Unisys, during a cyberattack. The incident actually occurred, reveals the examination of the regulatory declarations of the person concerned.
New Xorist variants
PCrisk found new Xorist ransomware variants that append the .WoXoTo or .RSA-4096 extensions and drops a ransom note named HOW TO DECRYPT FILES.txt.