Ransomware assaults on healthcare over the previous couple of months have been relentless, with quite a few ransomware operations concentrating on hospitals and medical providers, inflicting disruption to affected person care and entry to prescribed drugs within the USA.
The most impactful assault of 2024 to date is the assault on UnitedHealth Group’s subsidiary Change Healthcare, which has had vital penalties for the US healthcare system. This assault was later linked to the BlackCat ransomware operation, with UnitedHealth additionally confirming the group was behind the assault.
Change Healthcare is an digital fee change service utilized by docs, pharmacists, and hospitals to submit billing claims within the US healthcare system.
The assault has brought about vital disruptions in Change Healthcare’s providers, considerably impacting pharmacies that can’t invoice clients selecting up prescription medicines.
This disruption has trickled right down to sufferers, who, in some instances, are pressured to pay full value for his or her drugs till the problem is resolved. However, some medicines can value 1000’s of {dollars}, making it troublesome for a lot of to afford the funds.
To make issues worse, the BlackCat ransomware operation, aka ALPHV, claims to have stolen 6TB of information from Change Healthcare through the assault, containing the private info of tens of millions of individuals.
The assault has led the FBI, CISA, and the HHS to difficulty a joint advisory warning of BlackCat assaults on hospitals.
“The cyberattack in opposition to Change Healthcare that started on Feb. 21 is essentially the most critical incident of its form leveled in opposition to a U.S. well being care group,” warned Rick Pollack, President and CEO, American Hospital Association (AHA).
“We will proceed discussions with UnitedHealth Group and the federal authorities about these efforts as a protracted disruption of Change Healthcare’s programs may imply that some hospitals and well being programs could also be unable to pay salaries for clinicians and different members of the care staff, purchase essential medicines and provides, and pay for mission crucial contract work in areas similar to bodily safety, dietary and environmental providers.” – AHA’s Rick Pollack.
Another ransomware operation often known as Rhysida, additionally identified for its assaults on healthcare, has sunk to a brand new low by making an attempt to promote the stolen affected person knowledge from Lurie Children’s Hospital in Chicago.
Another ransomware identified for concentrating on healthcare is Lockbit, which was hit with a legislation enforcement operation final week known as Operation Cronos that allowed legislation enforcement to grab servers, knowledge, and decryptors.
However, LockBit has returned with new infrastructure and servers, promising to extend safety and forestall such a large takedown once more.
Unfortunately, BleepingComputer has already seen indicators that some associates are actively conducting assaults, nevertheless it seems to be at a diminished capability in comparison with earlier than the legislation enforcement operation.
Even nonetheless, many consider LockBit will shut down quickly after having its popularity tarnished and dropping belief within the cybercrime group.
In different information, an extortion group known as Mogilevich claims to have breached Epic Games and stolen 189 GB of information, together with supply code. Epic Games, although, instructed BleepingComputer that there’s “zero proof” that they have been breached in an assault.
Finally, extra ransomware gangs have jumped on the ScreenConnect RCE vulnerability exploitation prepare, together with Black Basta and the Bl00dy ransomware gang.
Contributors and those that offered new ransomware info and tales this week embody: @demonslay335, @Ionut_Ilascu, @Seifreed, @serghei, @fwosar, @BleepinComputer, @malwrhunterteam,@billtoulas, @LawrenceAbrams, @Threatlabz, @DarkishWebInformer, @CISAgov, @TrendMicro, @Shadowserver, @a_greenberg, @BrettCallow, @Jon__DiMaggio, @CrowdStrike, @H4ckManac, @RobWright22, @ValeryMarchive, and @pcrisk
February twenty fifth 2024
LockBit ransomware returns, restores servers after police disruption
The LockBit gang is relaunching its ransomware operation on a brand new infrastructure lower than per week after legislation enforcement hacked their servers, and is threatening to focus extra of their assaults on the federal government sector.
February twenty sixth 2024
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
A cyberattack on UnitedHealth Group subsidiary Optum that led to an ongoing outage impacting the Change Healthcare fee change platform was linked to the BlackCat ransomware group by sources accustomed to the investigation.
Ransomware Roundup – Abyss Locker
This version of the Ransomware Roundup covers the Abyss Locker (AbyssLocker) ransomware.
February twenty seventh 2024
FBI, CISA warn US hospitals of focused BlackCat ransomware assaults
Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of focused ALPHV/Blackcat ransomware assaults.
Black Basta, Bl00dy ransomware gangs be a part of ScreenConnect assaults
The Black Basta and Bl00dy ransomware gangs have joined widespread assaults concentrating on ScreenConnect servers unpatched in opposition to a most severity authentication bypass vulnerability.
Hessen Consumer Center says programs encrypted by ransomware
The Hessen Consumer Center in Germany has been hit with a ransomware assault, inflicting IT programs to close down and briefly disrupting its availability.
New Mallox ransomware variant
PCrisk discovered a brand new Mallox ransomware variant that appends the .ma1x0 extension and drops a ransom word named HOW TO RESTORE FILES.txt.
February twenty eighth 2024
Epic Games: “Zero proof” we have been hacked by Mogilevich gang
Epic Games mentioned they discovered zero proof of a cyberattack or knowledge theft after the Mogilevich extortion group claimed to have breached the corporate’s servers.
LockBit ransomware returns to assaults with new encryptors, servers
The LockBit ransomware gang is as soon as once more conducting assaults, utilizing up to date encryptors with ransom notes linking to new servers after final week’s legislation enforcement disruption.
Ransomware gang claims they stole 6TB of Change Healthcare knowledge
The BlackCat/ALPHV ransomware gang has formally claimed duty for a cyberattack on Optum, a subsidiary of UnitedHealth Group (UHG), which led to an ongoing outage affecting the Change Healthcare platform.
Rhysida ransomware desires $3.6 million for kids’s stolen knowledge
The Rhysida ransomware gang has claimed the cyberattack on Lurie Children’s Hospital in Chicago firstly of the month.
February twenty ninth 2024
CeaseRansomware: Phobos Ransomware
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate identified TTPs and IOCs related to the Phobos ransomware variants noticed as not too long ago as February 2024, in keeping with open supply reporting. Phobos is structured as a ransomware-as-a-service (RaaS) mannequin. Since May 2019, Phobos ransomware incidents impacting state, native, tribal, and territorial (SLTT) governments have been repeatedly reported to the MS-ISAC. These incidents focused municipal and county governments, emergency providers, schooling, public healthcare, and different crucial infrastructure entities to efficiently ransom a number of million U.S. {dollars}
The Mysterious Case of the Missing Trump Trial Ransomware Leak
This week, the infamous ransomware gang often known as LockBit threatened a form of disruption that might have been a primary even for a felony trade that has crippled hospitals and triggered the shutdown of a fuel pipeline: leaking paperwork from the felony prosecution of a former president and presidential candidate.
Then, with out clarification, that risk evaporated, leaving loads of unanswered questions behind.
New Frea Ransomware
PCrisk discovered a brand new ransomware that appends the .frea extension and drops a ransom word named oku.txt.
March 1st 2024
The Anatomy of an ALPHA SPIDER Ransomware Attack
Alphv ransomware-as-a-service, which first emerged in December 2021, is notable for being the primary written within the Rust programming language. The Alphv RaaS affords numerous options designed to draw subtle associates, together with ransomware variants concentrating on a number of working programs; a extremely customizable variant that rebuilds itself each hour to evade antivirus tooling; a searchable database on a transparent net area and the adversary’s devoted leak website (DLS), which allows guests to seek for leaked knowledge; and a Bitcoin mixer built-in to affiliate panels.
Unisys: supply code “exfiltrated” throughout a cyberattack in 2022
For lower than an hour, in early August 2022, Alphv/BlackCat claimed to have stolen supply code from Unisys, throughout a cyberattack. The incident really occurred, reveals the examination of the regulatory declarations of the particular person involved.
New Xorist variants
PCrisk discovered new Xorist ransomware variants that append the .WoXoTo or .RSA-4096 extensions and drops a ransom word named HOW TO DECRYPT FILES.txt.
That’s it for this week! Hope everybody has a pleasant weekend!