This Week in Cybersecurity – 26th Feb to 01st March: LockBit Ransomware Returns

LockBit Ransomware Returns, BlackCat Ransomware Disrupts Healthcare, Rhysida Ransomware Targets Hospitals!

---

Return of the Lockbit: LockBit Ransomware Returns and ReLaunches Its Dark Web Leak Site

The notorious LockBit ransomware group has resumed operations just five days after law enforcement dismantled its infrastructure in Operation Cronos. LockBit acknowledges it exposed servers running outdated PHP due to complacency. A new .onion site lists victim countdowns while LockBit pledges to decentralize and implement maximum decryptor protection. LockBit aims to harden defenses against infiltrations like the vulnerability law enforcement exploited. Read more

ALPHV Ransomware Claims Two New Victims, One Victim Confirmed!

The ALPHV ransomware group claims attacks on Verbraucherzentrale Hessen, a German consumer advice center, and Electro Marteix, a Spanish company. Verbraucherzentrale Hessen confirms a February 22 incident disrupted phone lines and online services, though most data was restored. The attack is under investigation. Electro Marteix shows no indications of compromise, casting doubt on the second claim. CISA, FBI and HHS respond with a joint advisory on the rising ALPHV/BlackCat ransomware threat targeting critical infrastructure like healthcare. Read more

FBI, CISA Issue Advisory on Targeted BlackCat Ransomware Attacks

The FBI, CISA and HHS have issued an advisory about increased BlackCat/ALPHV ransomware attacks targeting the healthcare sector. Over 70% of recently leaked victims are medical providers. The joint notice attributes this to BlackCat encouraging affiliates to focus on hospitals after its infrastructure was disrupted in December. Tactics include using ScreenConnect vulnerabilities for remote access and exploiting vulnerable medical payment platforms akin to the Optum attack. The agencies have also shared indicators to help defenders combat BlackCat ransomware’s intensifying targeting of healthcare. Read more

UnitedHealth Subsidiary Optum Hacked, Sources Link the Cyberattack to BlackCat Ransomware

The ransomware attack on UnitedHealth’s Optum subsidiary that has disrupted healthcare networks was likely carried out by BlackCat. The cyberattack targeted the Change Healthcare platform, impacting EHRs, payments and coordination systems. Forensics links the hackers to BlackCat ransomware through a ScreenConnect vulnerability exploited for initial access. Attribution remains unconfirmed but indications point to BlackCat operations.

Rhysida Ransomware Claims the Lurie Children’s Hospital Cyberattack, Demands $3.6 Million for Stolen Data

The Rhysida ransomware group has taken responsibility for a cyberattack on Lurie Children’s Hospital in Chicago. The incident disrupted key systems and made medical data inaccessible. Rhysida now lists the hospital on its extortion portal, claiming to have stolen 600GB of data. A $3.6 million ransom in bitcoin is demanded within seven days. Rhysida threatens to sell the data or release it freely online. The hospital continues restoring systems while facing operational challenges from the ongoing disruptions. Read more

Insomniac Investigates Games Rhysida Ransomware Data Breach and Alerts Employees

Video game studio Insomniac Games, owned by Sony, is investigating a November Rhysida ransomware attack that led to a data breach. Rhysida ransomware stole over 1.3 million files from Insomniac and leaked 1.67TB of documents after a ransom was unpaid. Insomniac is now notifying employees whose personal information was among the exfiltrated data from November 25-26. The company also offered affected workers an extra two years of credit monitoring through their employee benefits in response to the security incident. The scope and full details remain under review. Read more

Cencora Data Breached, Personal Information of Patients Stolen

Pharmaceutical company Cencora has reported a cyberattack resulting in the theft of data from its IT systems. In an SEC filing, Cencora revealed unauthorized access led to the exfiltration of information that may include patients’ personal details. The scope is under investigation. Cencora is working with law enforcement and experts but has provided few initial details. It remains unclear if the incident will have financial or operational impacts for the drug distributor. Read more

U-Haul Data Breach Compromises Personal Information of 67K Customers

Truck and trailer rental company U-Haul has notified approximately 67,000 customers in the US and Canada about a data breach that occurred last year. Hackers accessed a system used by dealers and employees between July and October 2023 to view customer records, compromising names, dates of birth, and driver’s license numbers. U-Haul is offering free identity protection services and has reset affected accounts’ passwords following the incident. Read more

RCMP Cyberattack Takes Down All Main Websites

Canada’s Royal Canadian Mounted Police (RCMP) is facing a major cyberattack that has taken down several of its key websites. On Sunday, the RCMP websites in Nova Scotia, New Brunswick, and Ottawa went down, displaying error messages. The RCMP says the situation is evolving and operations have not been impacted, but characterized the breach as “alarming.” An investigation is ongoing to identify the threat actor and assess the situation, while no further details have been provided at this stage. Read more

UAC-0184 Uses Steganography to Execute IDAT Loader and Install Remcos RAT

A hacking group called UAC-0184, known for targeting Ukrainian military, has expanded its operations. It embeds malicious code in distorted PNG images using steganography to avoid detection. Opening a boobytrapped file installs the IDAT malware loader from the image, which then decrypts and executes the Remcos RAT backdoor in memory across modular stages. UAC-0184 delivered this attack sequence against a Finnish organization. Read more