Today, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) jointly issued a warning to healthcare organizations in the United States regarding targeted ALPHV/Blackcat ransomware attacks.
ALPHV Blackcat Ransomware Are Executing Hospital Cyberattacks Focusing More on Healthcare Sector
“ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector,”
The joint advisory cautions.
The current warning builds upon previous notifications, including an April 2022 FBI flash alert and a December 2023 advisory.
These earlier reports provided detailed information about the activities of the cybercrime group known as BlackCat ransomware, which emerged in November 2021 and is suspected to be a rebranding of the DarkSide and BlackMatter ransomware groups.
According to the FBI, BlackCat ransomware has been responsible for more than 60 breaches in its first four months of operation (November 2021 to March 2022) and has collected over $300 million in ransom payments from over 1,000 victims as of September 2023.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the three federal agencies warned in today’s joint advisory.
“This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”
The FBI, CISA, and HHS have provided guidance to critical infrastructure organizations to help them mitigate the risks associated with BlackCat ransomware attacks and data extortion incidents.
It is important for these organizations to implement necessary measures in order to reduce the likelihood and impact of such attacks. Healthcare organizations, in particular, are urged to prioritize cybersecurity safeguards that specifically address the tactics, techniques, and procedures commonly observed in the Healthcare and Public Health (HPH) sector.
Taking these precautions will help protect sensitive data and ensure the resilience of critical healthcare systems.
BlackCat Ransomware Attacks Using ScreenConnect for Initial Access
The recent advisory follows an incident where the BlackCat ransomware operation was connected to a cyberattack on Optum, a subsidiary of UnitedHealth Group.
This attack resulted in an ongoing outage that has affected Change Healthcare, the largest payment exchange platform in the U.S. healthcare system, which connects doctors, pharmacies, healthcare providers, and patients.
Although Tyler Mason, Vice President of UnitedHealth Group, did not explicitly confirm the link to BlackCat ransomware group, he stated that over 90% of the impacted platform’s 70,000+ pharmacies have transitioned to new electronic claim processes.
According to sources familiar with the investigation, Change Healthcare has been conducting Zoom calls with healthcare industry partners to provide updates since the Hospital Cyberattack on their systems. Forensic experts investigating the incident have linked the attack to the BlackCat ransomware group.
The threat actors gained access to the network by exploiting a critical vulnerability in ScreenConnect, specifically the CVE-2024-1709 vulnerability, which allows for an authentication bypass.
While today’s advisory from the FBI, CISA, and HHS did not explicitly mention the Change Healthcare incident, they did share indicators of compromise that align with our previous reporting, confirming that the BlackCat ransomware group is indeed targeting vulnerable ScreenConnect servers as a means to gain remote access into victim networks.
In December, the FBI successfully disrupted the operations of the BlackCat gang by shutting down their Tor negotiation and leak sites. Additionally, law enforcement was able to gain access to the gang’s servers, which enabled them to create a decryptor by collecting keys during a lengthy intrusion.
However, BlackCat has since regained control of their sites and has moved to a new Tor leak site that has not yet been taken down by the FBI.
