The ALPHV/BlackCat ransomware gang is targeting the healthcare sector following its threats to retaliate against law enforcement interference, according to a joint advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Agency (CISA) and Department of Health and Human Services (HHS) released Tuesday.
A day after the advisory was released, the gang also claimed responsibility for a recent attack on Change Healthcare, saying it stole 6TB of data, BleepingComputer reported. The information reportedly stolen includes Change Healthcare solution source codes and data on thousands of healthcare providers, pharmacies and insurance providers.
“The cyberattack on Change Healthcare, the largest healthcare payment exchange platform, has significantly impacted pharmacies nationwide, prompting the adoption of electronic workarounds. Amid this significant cyberattack on the healthcare sector, this advisory serves as a wake-up call for organizations to prioritize cybersecurity measures,” Andrew Costis, chapter lead of the adversary research team at AttackIQ, told SC Media in an email.
ALPHV/BlackCat struck nearly 70 victims after FBI disruption
Tuesday’s joint advisory on ALPHV/BlackCat is an update to a Dec. 19 advisory that was published in conjunction with a Justice Department announcement that the FBI had disrupted the ransomware-as-a-service (RaaS) group and seized several of its websites.
ALPHV/BlackCat subsequently “unseized” its website and posted a message to its affiliates stating that, due to the FBI’s actions, it would remove its restriction on attacking critical infrastructure. The message specifically named hospitals and nuclear power plants as potential targets.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administration’s post encouraging its affiliates to target hospitals,” the joint advisory states.
The updated guidance includes the most current known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ALPHV/BlackCat and its affiliates as of February 2024.
“Healthcare organizations must now prioritize validating their security controls against BlackCat’s TTPs as outlined in the joint advisory leveraging the MITRE ATT&CK framework. By emulating the behaviors exhibited by BlackCat, organizations can assess their security postures and pinpoint any vulnerabilities,” Costis told SC Media.
The U.S. Department of State is currently offering a $10 million reward for information on the identity and location of ALPHV/BlackCat leaders, as well as an additional $5 million for information leading to the arrest or conviction of any of the gang’s affiliates.
ALPHV/BlackCat leverages remote access tools, poses as IT staff
Both the original Dec. 19 advisory and the Feb. 27 update note the use of advanced social engineering and remote access tools by ALPHV/BlackCat.
Affiliates often pose as IT technicians or helpdesk staff to obtain credentials from employees for initial access, then deploy remote access software like AnyDesk, Mega sync or Splashtop to assist with data exfiltration, according to the FBI and CISA.
ALPHV/BlackCat affiliates also use the open-source adversary-in-the-middle attack framework Evilginx2 to obtain multifactor authentication (MFA) credentials, login credentials and session cookies from the victim’s system, and move laterally throughout networks by obtaining passwords from domain controllers, local networks and deleted backup servers, the advisory states.
The group has claimed to use the legitimate red team simulation tools Brute Ratel C4 and Cobalt Strike as beacons to its command-and-control (C2) servers.
The IOCs added to the advisory in the Feb. 27 update include hashes and file names of tools ALPHV/BlackCat is known to use, including its Windows and Linux encryptors and tools designed to disable antivirus software.
Network indicators for ALPHV/BlackCat include C2 server domains and IP addresses, as well as a ScreenConnect Remote Access domain and SimpleHelp Remote Access IP address.
“The detailed TTPs and IOCs provided offer actionable intelligence for detecting breaches and enhancing security measures. The alignment with MITRE ATT&CK framework aids in structure analysis and defense strategy development,” said Callie Guenther, senior manager of cyber threat research at Critical Start, in an email to SC Media.
The guidance recommends securing remote access tools by allowlisting approved remote access programs. This can help block the use of unauthorized remote access software, even when antivirus solutions fail to detect it.
Use of FIDO/WebAuthn authentication or public key infrastructure (PKI)-based MFA is also advised due to its resistance to phishing, push bombing and SIM swapping tactics utilized by ALPHV/BlackCat.
“The big recommendation, aside from high-level best practices, is to deploy strong MFA, particularly on remote access systems, to prevent stolen credentials being used to lead to a ransomware incident,” Bambenek Consulting President John Bambenek told SC Media.
Change Healthcare breach may be part of ongoing ransomware trend
While Optum, which runs the Change Healthcare platform, and its parent company UnitedHealth Group have not yet confirmed the ALPHV/BlackCat affiliation, its inclusion on the ransomware gang’s leak site points to a continued trend of healthcare sector targeting.
“The healthcare industry has proven an irresistible target when it comes to ransomware, with publicized attacks in 2023 seeing a 134% increase over the previous year,” BlackFog CEO and Founder Darren Williams told SC Media in an email. “Healthcare organizations possess troves of valuable and sensitive data just ripe for extortion, and unfortunately in many cases the level of cyber defense simply isn’t up to the task of protecting it.”
Security researchers from First Health Advisory and RedSense have said that exploitation of a critical ConnectWise ScreenConnect vulnerability may have been involved in the Change Healthcare attack, although ConnectWise said in a statement that is not aware of a connection, and BleepingComputer reports that ALPHV/BlackCat affiliates denied using this exploit.
The IOCs included in the FBI, CISA and HHS advisory suggest that ALPHV/BlackCat affiliates have used ScreenConnect for remote access, but this is no indication that any specific vulnerability was used.
SC Media reached out to the FBI, CISA and HHS for more information on ALPHV/BlackCat’s activities and use of remote access software. A CISA spokesperson declined to comment, and no response was received from the FBI or HHS.
SC Media also asked an Optum spokesperson whether the company could confirm ALPHV/BlackCat’s involvement and received no response.
As far as whether the trend of healthcare ransomware breaches will continue, Bambenek told SC Media that mitigation will be an uphill battle due to resource limitations.
“Unfortunately, many healthcare systems have thin IT and cybersecurity teams, if they haven’t just outsourced them entirely. That means for many healthcare organizations, these best practices can’t be implemented because there is no one to do it,” Bambenek said.
