Alert on ALPHV/Blackcat Ransomware Group and Cyberattack Reports

by

Feds Warns Healthcare Sector Regarding ALPHV/Blackcat Ransomware Group

A joint cybersecurity notification was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) about identified Indicators of Compromise (IoCs) and the newest Tactic, Techniques, and Procedures (TTPs) employed by the ALPHV/Blackcat ransomware group.

In December 2023, the U.S. Department of Justice (DoJ) mentioned that it had disturbed the activities of the ALPHV/Blackcat ransomware group. An FBI agent disguised as an affiliate obtained access to the computer network of the ransomware group and took over several of websites run by the group.

Approximately 900 public/private key pairs were acquired which made it possible for a decryption tool to be designed to assist those victims to get back their files. After the DOJ statement, an agent for the group stated it had released the websites and sent a threat of retaliation. According to the group, the limits that were imposed on affiliates were taken away. Nuclear power plants, hospitals, and anything else can be attacked. The only regulation that stayed was the ban on attacks in the Commonwealth of Independent States (CIS).

Based on the cybersecurity advisory, it seems that hospitals are the principal target for the group. As of December 2023, ALPHV/Blackcat put the information of 70 victims on its data leak website and the healthcare market has been the most targeted. Though the notification doesn’t reference certain healthcare victims, the most recent is Change Healthcare. ALPHV/Blackcat says it has stolen 6TB of data files during the attack, including data from all of its customers: CVS Caremark, Health Net Medicare, and Tricare. Change Healthcare was shortly included in the group’s data leak site following the introduction of the cybersecurity notification.

The notification states that ALPHV/Blackcat affiliates usually disguise as IT professionals or helpdesk employees to steal employees’ credentials to obtain initial access to healthcare sites. The group likewise gets preliminary access via phishing, making use of the Evilginx phishing kit to get multifactor authentication codes, login credentials, and session cookies. They add legit remote access and tunneling applications including AnyDesk Mega sync, and Splashtop to plan for data exfiltration, tunneling tools like Ngrok And Plink, and Cobalt Strike And Brute Ratel C4 as beacons to order and manage servers. Affiliates proceed laterally to widely expose systems and employ software like Metasploit to prevent detection.

Although numerous ALPHV/Blackcat affiliates do data theft and file encryption, some opt not to encrypt files and merely steal information, then threaten to post that information if the ransom isn’t paid. This method ensures quicker attacks with less likelihood of discovery. The advisory gives the newest MITRE ATT&CK tactics and techniques, incident response recommendations, IoCs, and mitigations for boosting cybersecurity posture, including phishing-resilient multifactor authentication (public key infrastructure (PKI)-based MFA or FIDO/WebAuthn authentication).

Grace Lutheran Communities Targeted by ALPHV/Blackcat Ransomware Gang

Grace Lutheran Communities based in Wisconsin provides rehabilitation services, independent living, assisted living and skilled nursing, has suffered a ransomware attack. The incident was found on January 22, 2024, and though the investigation is in progress, Grace Lutheran Communities has stated the breach of affected individual data was stolen which include names, addresses, medical insurance data, and Social Security numbers.

On February 17, 2024, Grace Lutheran Communities uncovered that the ALPHV/Blackcat ransomware gang had shared some of the stolen information on its data leak website. Grace Lutheran Communities mentioned it is focused on securing the privacy and security of patient records and is boosting network security to avoid the same attacks down the road. Grace Lutheran Communities still has no verified number of impacted persons.

Washington County Hospital and Nursing Home Suffers Ransomware Attack

Washington County Hospital and Nursing Home has informed 31,125 persons concerning a December cyberattack that enabled an unauthorized third party to view their sensitive data. On December 24, 2023, there was a network problem that made internal systems unavailable. A third-party cybersecurity agency assisted in safeguarding its systems and carried out a forensic investigation. There was proof identified of unauthorized access to files comprising patient information. Those files involved Social Security numbers and tax forms; nonetheless, no report was received regarding any attempted or actual identity theft or fraud due to the data breach.

Washington County Hospital and Nursing Home has increased its security procedures and is giving the affected people complimentary Single Bureau Credit Report/Credit Monitoring/Credit Score Services.

Bay Area Anesthesia Patients Impacted by Cyberattack on Business Associate

Bay Area Anesthesia located in Clearwater, FL is impacted by a data security incident at Bowden Barlow Law, an ex-business associate. The law agency discovered suspicious activity in its system and the investigation proved that an unauthorized third party accessed the system between November 17, 2023 to December 1, 2023. At the time of the incident, files were exfiltrated from its network that comprised the PHI of 15,196 persons. Bay Area Anesthesia has advised the affected people and has given them free credit monitoring and identity theft protection services for one year.

Cardiothoracic and Vascular Surgeons Warns Patients Concerning December Data Breach

Cardiothoracic and Vascular Surgeons based in Austin, TX, has announced that unauthorized people viewed its system from October 12, 2023 to October 13, 2023, and extracted files made up of patient information. An evaluation of the impacted files was accomplished on January 22, 2024, and affirmed that the PHI of 2,345 persons was included in those files, which include names, government-issued IDs, and driver’s licenses. Notices were given to the people on February 16, 2024, as well as identity theft protection and credit monitoring services.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone