Ransomware roundup: Possible changes to double extortion Health Care, LockBit reorganization and more

This week, it became clear to the healthcare cybersecurity landscape that the specter of a potential double ransomware attack by RansomHub was looming over Change Healthcare, following the February cyberattack by ALPHV.

Furthermore, a series of news about LockBit begins a complex story of international espionage and potential new threats to healthcare organizations from this group. This week, we spoke with several cybersecurity leaders about lessons learned from the healthcare sector.

Double threat for Change Healthcare

Multiple sources say ransomware-as-a-service group RansomHub has claimed possession of 4TB of stolen Change Healthcare data and threatened to make it public unless a ransom is paid.

“Double extortion really seems to be a perfect fit for what they can do,” Joel Burleson-Davis, senior vice president of global network engineering at Imprivata, said via email Friday.

“The other motivation is that these are business models, so if they want payment, they need to make the final deal, like a contractual situation. Double extortion is like a risky scenario/ rewards for their future business model,” he explained.

Last month, SOCRadar posted a RansomHub profile and reported that, unlike other ransomware groups, this group’s ransom payments were initially sent to affiliates at a rate of 90%.

Meanwhile, vx-underground, a repository of malware source code information and samples, according to its X-file, said on Monday that ALPHV affiliates had moved to RansomHub.

“Change Healthcare and UnitedHealth, you have an opportunity to protect your customer data. The data has not been leaked anywhere and any clear threat intelligence would confirm that the data has not been shared or posted,” the group allegedly posted on Monday, according to a screenshot a group called Dark Web Informer shared on X.

Also on the alleged dark website RansomHub, the group added: “We have the data, not ALPHV.”

The Department of Justice announced it had seized ALPHV Blackcat in December, but the Blackcat group later claimed responsibility for the Change Healthcare attack in February and reported having medical, insurance and dental records, along with patient billing and claims data and personally identifiable information, along with U.S. Army/Navy personnel data.

In March, ALPHV listed a ransom payment and the site was shut down after a second law enforcement seizure, which investigative agencies declined to post.

Whether this group is a group of related or unrelated threat actors trying to get UnitedHealth Group to pay over $22 million worth of Bitcoin, it may have paid to help restore the system. Change Healthcare and relieve the strain on providers after ransomware shutdown, the potential leak of a huge trove of protected health data is alarming for the entire care ecosystem health.

Greg Surla said Healthcare IT news Fifth, the risk of such a large-scale data breach for healthcare organizations is “complex and worrying.”

“The new threat of second-party data exposure reinforces the importance of business continuity planning because it can be difficult to predict when an attack will actually end,” he emphasized via email. ”.

“Furthermore, the latest developments reinforce the need to ensure PHI is protected by strong security controls, consistent with industry best practices, and that any breaches are reported to [U.S. Health and Human Services] and affected individuals without significant delay after the breach.”

Burleson-Davis added that the potential double extortion scenario is “why we need more regulation around third-party access” and robust security programs, like access management tools. privileged access, “some of this content can be avoided.”

“[UHG] could have done as much investigation as possible and if they have a second violation that goes undetected, then it could actually be a second actor at work. But what can be said that there is no third or fourth?” he explained Healthcare IT news.

“The fact that there is additional activity that looks like a second breach or a double extortion means they are still mucking about with this and are not out of the woods yet,” he added. , the road to recovery will be longer, more costly and far more impactful.

“How do they know they’re clean? This creates a huge risk profile.”

SC Media noted in Monday’s report that RansomHub will give UHG and Optum 12 days to pay or risk a Change Healthcare data leak.

Researchers shed light on LockBit

In February, the DOJ and the US Federal Bureau of Investigation announced a team of international law enforcement officials had cooperated through a government-coordinated ransomware defense campaign called Operation Cronos and collected holds the servers of the Lockbit ransomware gang, providing decryptors to many organizations in many sectors.

Lockbit, a notorious ransomware group that specializes in attacking healthcare organizations – although it apologized to Toronto-based SickKids and provided a decryptor in 2023 – it doesn’t look like it’s going down. if you don’t fight.

Last week, Trend Micro published details on how LockBit performed following the Operation Cronos disruption. The company said that while trying to stay active with the new version, since the team is most likely working on LockBit 4.0, it may have recently released the LockBit-NG-Dev variant.

After studying the threat actors associated with the group, Trend Micro researchers said they question LockBit’s ability to attract top affiliates, based on failures in “logistics, technical and reputation” of the group by 2023.

There was also speculation on Thursday that LockBit was changing its name to DarkVault, according to one network news report.

Meanwhile, an anonymous source told Bloomberg on Wednesday that law enforcement investigators have linked the pseudonyms used by the LockBit hacking group to specific individuals and are tracking a top 200 list. leads to LockBit associates.

The DOJ also said that, in announcing the seizure of LockBit’s assets, it announced indictments in New Jersey and California against Russian nationals Artur Sungatov and Ivan Kondratyev, also known as cyber criminals Bassterlord, for deploying exploited LockBit against multiple victims across the United States. .

Sungatov and Kondratyev are not detained, but have been sanctioned by the US Treasury, which, according to a February story in TechCrunch, means any connection of any US business or individual that pays they all risk fines and/or criminal prosecution.

Microsoft’s CVE doubled in April

The Cybersecurity and Infrastructure Security Agency issued an emergency directive last week to address the impact on federal agencies of Microsoft’s breach.

“A Russian state-sponsored cyber actor named Midnight Blizzard stole email correspondence between Federal Civilian Executive Branch agencies and Microsoft through intrusion,” CISA said in an April 2 announcement. Successfully breached Microsoft corporate email accounts.

The top US cybersecurity agency said FCEB agencies are required to “analyze the content of filtered emails, reset compromised credentials, and take additional steps to ensure Authentication tools for secure privileged Microsoft Azure accounts.”

This is an important month for common Microsoft security vulnerabilities and risks that all sectors, including healthcare IT, should pay attention to.

Tyler Reguly, senior director of security research and development at security company Fortra, said on Patch Tuesday this week that the 149 CVEs Microsoft released in April will keep businesses busy.

“We saw 56, 73, and 61 CVEs released by Microsoft in January, February, and March,” he said via email.

“Most notable is that one-third of the vulnerabilities are related to Microsoft Security Boot or Microsoft SQL Server. Additionally, Azure features, including Microsoft Defender for [Internet of Things]accounts for 15 of the CVEs patched this month,” he added.

Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.