Ransomware assaults on healthcare over the previous couple of months have been relentless, with quite a few ransomware operations concentrating on hospitals and medical providers, inflicting disruption to affected person care and entry to prescribed drugs within the USA.
Probably the most impactful assault of 2024 thus far is the assault on UnitedHealth Group’s subsidiary Change Healthcare, which has had vital penalties for the US healthcare system. This assault was later linked to the BlackCat ransomware operation, with UnitedHealth additionally confirming the group was behind the assault.
Change Healthcare is an digital cost trade service utilized by docs, pharmacists, and hospitals to submit billing claims within the US healthcare system.
The assault has precipitated vital disruptions in Change Healthcare’s providers, considerably impacting pharmacies that can’t invoice prospects choosing up prescription medicines.
This disruption has trickled right down to sufferers, who, in some circumstances, are pressured to pay full value for his or her drugs till the problem is resolved. Nevertheless, some medicines can price hundreds of {dollars}, making it troublesome for a lot of to afford the funds.
To make issues worse, the BlackCat ransomware operation, aka ALPHV, claims to have stolen 6TB of knowledge from Change Healthcare in the course of the assault, containing the non-public data of hundreds of thousands of individuals.
The assault has led the FBI, CISA, and the HHS to concern a joint advisory warning of BlackCat assaults on hospitals.
“The cyberattack in opposition to Change Healthcare that started on Feb. 21 is probably the most critical incident of its sort leveled in opposition to a U.S. well being care group,” warned Rick Pollack, President and CEO, American Hospital Affiliation (AHA).
“We’ll proceed discussions with UnitedHealth Group and the federal authorities about these efforts as a protracted disruption of Change Healthcare’s programs may imply that some hospitals and well being programs could also be unable to pay salaries for clinicians and different members of the care workforce, purchase essential medicines and provides, and pay for mission essential contract work in areas comparable to bodily safety, dietary and environmental providers.” – AHA’s Rick Pollack.
One other ransomware operation often called Rhysida, additionally identified for its assaults on healthcare, has sunk to a brand new low by making an attempt to promote the stolen affected person knowledge from Lurie Kids’s Hospital in Chicago.
One other ransomware identified for concentrating on healthcare is Lockbit, which was hit with a regulation enforcement operation final week known as Operation Cronos that allowed regulation enforcement to grab servers, knowledge, and decryptors.
Nevertheless, LockBit has returned with new infrastructure and servers, promising to extend safety and forestall such an enormous takedown once more.
Sadly, BleepingComputer has already seen indicators that some associates are actively conducting assaults, however it seems to be at a diminished capability in comparison with earlier than the regulation enforcement operation.
Even nonetheless, many imagine LockBit will shut down quickly after having its popularity tarnished and shedding belief within the cybercrime group.
In different information, an extortion group known as Mogilevich claims to have breached Epic Video games and stolen 189 GB of knowledge, together with supply code. Epic Video games, although, instructed BleepingComputer that there’s “zero proof” that they had been breached in an assault.
Lastly, extra ransomware gangs have jumped on the ScreenConnect RCE vulnerability exploitation practice, together with Black Basta and the Bl00dy ransomware gang.
Contributors and people who offered new ransomware data and tales this week embody: @demonslay335, @Ionut_Ilascu, @Seifreed, @serghei, @fwosar, @BleepinComputer, @malwrhunterteam,@billtoulas, @LawrenceAbrams, @Threatlabz, @DarkWebInformer, @CISAgov, @TrendMicro, @Shadowserver, @a_greenberg, @BrettCallow, @Jon__DiMaggio, @CrowdStrike, @H4ckManac, @RobWright22, @ValeryMarchive, and @pcrisk
February twenty fifth 2024
LockBit ransomware returns, restores servers after police disruption
The LockBit gang is relaunching its ransomware operation on a brand new infrastructure lower than per week after regulation enforcement hacked their servers, and is threatening to focus extra of their assaults on the federal government sector.
February twenty sixth 2024
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
A cyberattack on UnitedHealth Group subsidiary Optum that led to an ongoing outage impacting the Change Healthcare cost trade platform was linked to the BlackCat ransomware group by sources aware of the investigation.
Ransomware Roundup – Abyss Locker
This version of the Ransomware Roundup covers the Abyss Locker (AbyssLocker) ransomware.
February twenty seventh 2024
FBI, CISA warn US hospitals of focused BlackCat ransomware assaults
At the moment, the FBI, CISA, and the Division of Well being and Human Providers (HHS) warned U.S. healthcare organizations of focused ALPHV/Blackcat ransomware assaults.
Black Basta, Bl00dy ransomware gangs be part of ScreenConnect assaults
The Black Basta and Bl00dy ransomware gangs have joined widespread assaults concentrating on ScreenConnect servers unpatched in opposition to a most severity authentication bypass vulnerability.
Hessen Shopper Middle says programs encrypted by ransomware
The Hessen Shopper Middle in Germany has been hit with a ransomware assault, inflicting IT programs to close down and briefly disrupting its availability.
New Mallox ransomware variant
PCrisk discovered a brand new Mallox ransomware variant that appends the .ma1x0 extension and drops a ransom notice named HOW TO RESTORE FILES.txt.
February twenty eighth 2024
Epic Video games: “Zero proof” we had been hacked by Mogilevich gang
Epic Video games stated they discovered zero proof of a cyberattack or knowledge theft after the Mogilevich extortion group claimed to have breached the corporate’s servers.
LockBit ransomware returns to assaults with new encryptors, servers
The LockBit ransomware gang is as soon as once more conducting assaults, utilizing up to date encryptors with ransom notes linking to new servers after final week’s regulation enforcement disruption.
Ransomware gang claims they stole 6TB of Change Healthcare knowledge
The BlackCat/ALPHV ransomware gang has formally claimed duty for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage affecting the Change Healthcare platform.
Rhysida ransomware needs $3.6 million for kids’s stolen knowledge
The Rhysida ransomware gang has claimed the cyberattack on Lurie Kids’s Hospital in Chicago in the beginning of the month.
February twenty ninth 2024
StopRansomware: Phobos Ransomware
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Safety Company (CISA), and the Multi-State Info Sharing and Evaluation Middle (MS-ISAC) are releasing this joint CSA, to disseminate identified TTPs and IOCs related to the Phobos ransomware variants noticed as just lately as February 2024, in line with open supply reporting. Phobos is structured as a ransomware-as-a-service (RaaS) mannequin. Since Might 2019, Phobos ransomware incidents impacting state, native, tribal, and territorial (SLTT) governments have been usually reported to the MS-ISAC. These incidents focused municipal and county governments, emergency providers, training, public healthcare, and different essential infrastructure entities to efficiently ransom a number of million U.S. {dollars}
The Mysterious Case of the Lacking Trump Trial Ransomware Leak
This week, the infamous ransomware gang often called LockBit threatened a sort of disruption that may have been a primary even for a prison trade that has crippled hospitals and triggered the shutdown of a fuel pipeline: leaking paperwork from the prison prosecution of a former president and presidential candidate.
Then, with out clarification, that menace evaporated, leaving loads of unanswered questions behind.
New Frea Ransomware
PCrisk discovered a brand new ransomware that appends the .frea extension and drops a ransom notice named oku.txt.
March 1st 2024
The Anatomy of an ALPHA SPIDER Ransomware Assault
Alphv ransomware-as-a-service, which first emerged in December 2021, is notable for being the primary written within the Rust programming language. The Alphv RaaS affords a lot of options designed to draw subtle associates, together with ransomware variants concentrating on a number of working programs; a extremely customizable variant that rebuilds itself each hour to evade antivirus tooling; a searchable database on a transparent net area and the adversary’s devoted leak web site (DLS), which permits guests to seek for leaked knowledge; and a Bitcoin mixer built-in to affiliate panels.
Unisys: supply code “exfiltrated” throughout a cyberattack in 2022
For lower than an hour, in early August 2022, Alphv/BlackCat claimed to have stolen supply code from Unisys, throughout a cyberattack. The incident truly occurred, reveals the examination of the regulatory declarations of the individual involved.
New Xorist variants
PCrisk discovered new Xorist ransomware variants that append the .WoXoTo or .RSA-4096 extensions and drops a ransom notice named HOW TO DECRYPT FILES.txt.
That is it for this week! Hope everybody has a pleasant weekend!