Today, the FBI, CISA, and the Department of Health and Human Services (HHS) issued a joint warning to healthcare organizations in the United States about the targeted ALPHV/BlackCat ransomware attacks. These attacks have been specifically directed at the healthcare sector, according to the advisory.
This alert comes after a previous FBI flash alert in April 2022 and another advisory in December 2023, detailing the activities of the BlackCat cybercrime gang since its emergence in November 2021, believed to be a rebrand of the DarkSide and BlackMatter ransomware groups.
The FBI has linked BlackCat to over 60 breaches between November 2021 and March 2022, with the gang reportedly making at least $300 million in ransoms from over 1,000 victims up to September 2023.
The recent advisory noted that since mid-December 2023, almost 70 leaked victims have been identified, with the healthcare sector being the most targeted. This increase in attacks on healthcare organizations is believed to be in response to a post by the ALPHV Blackcat administrator, encouraging affiliates to target hospitals following operational actions against the group and its infrastructure in early December 2023.
In light of these threats, the FBI, CISA, and HHS have advised critical infrastructure organizations to take necessary measures to mitigate the risks of BlackCat ransomware and data extortion incidents.
They have also urged healthcare organizations to implement cybersecurity measures to counter prevalent tactics, techniques, and procedures commonly used in the Healthcare and Public Health (HPH) sector.
The advisory follows a cyberattack on UnitedHealth Group subsidiary Optum, which triggered an ongoing outage affecting Change Healthcare, the largest payment exchange platform in the U.S. healthcare system.
While UnitedHealth Group VP did not confirm the BlackCat link, he stated that 90% of impacted pharmacies have switched to new electronic claim processes. Change Healthcare has been conducting Zoom calls with partners in the healthcare industry to provide updates since the attack hit its systems.
Forensic experts investigating the incident have linked the attack to the BlackCat ransomware group, which breached the network using the actively exploited critical ScreenConnect auth bypass vulnerability (CVE-2024-1709). Although today’s advisory did not directly link to the Change Healthcare incident, it shared indicators of compromise confirming the BlackCat ransomware gang’s targeting of vulnerable ScreenConnect servers for remote access.
The FBI disrupted the BlackCat gang’s operations in December by taking down its Tor negotiation and leak sites. Despite this, BlackCat has since resumed its activities, switching to a new Tor leak site that law enforcement has not yet taken down. The U.S. State Department offers rewards of up to $10 million for information leading to the identification or location of BlackCat gang leaders and $5 million for tips on individuals associated with the group’s ransomware attacks.
To prevent BlackCat ransomware attacks, healthcare organizations should ensure their systems are updated with the latest security patches. Implementing robust cybersecurity measures, such as network segmentation and strong authentication protocols, can also help deter attackers. Additionally, organizations should regularly back up their data and have a response plan in place in case of a ransomware attack.