Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ALPHV Blackcat Ransomware. Show all posts

Timeline of the Ransomware Attack on Change Healthcare: How It Unfolded

 

Earlier this year, a ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the most significant breaches of U.S. health and medical data in history.

Months after the breach occurred in February, a large number of Americans are receiving notification letters stating that their personal and health information was compromised during the cyberattack on Change Healthcare.

Change Healthcare plays a critical role in processing billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. Consequently, the company stores an extensive amount of sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change Healthcare has grown into one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Key Events Following the Ransomware Attack:

  • February 21, 2024: The first signs of trouble emerged when outages began affecting doctors' offices and healthcare practices, disrupting billing systems and insurance claims processing. Change Healthcare’s status page was inundated with outage notifications impacting all aspects of its business. The company later confirmed a "network interruption related to a cybersecurity issue," indicating a serious problem. In response, Change Healthcare activated its security protocols, shutting down its entire network to contain the intruders. This led to widespread disruptions across the U.S. healthcare sector. It was later revealed that the hackers had initially infiltrated the company’s systems on or around February 12.
  • February 29, 2024: UnitedHealth disclosed that the cyberattack was carried out by a ransomware gang, rather than state-sponsored hackers as initially suspected. The ransomware group, identified as ALPHV/BlackCat, claimed responsibility for the attack, boasting that they had stolen sensitive health information from millions of Americans. ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service gang, whose affiliates break into victim networks and deploy malware developed by the gang's leaders. These affiliates then share the profits from the ransoms paid by victims to regain access to their data
  • March 3-5, 2024: In early March, the ALPHV ransomware gang disappeared after collecting a $22 million ransom from UnitedHealth. The gang’s dark web site, which had claimed responsibility for the attack, was replaced with a notice suggesting that U.K. and U.S. law enforcement had taken it down, although both the FBI and U.K. authorities denied this. Signs pointed to ALPHV fleeing with the ransom in what appeared to be an "exit scam." The affiliate who executed the hack claimed that the ALPHV leadership had stolen the ransom and provided proof of a bitcoin transaction as evidence. Despite the ransom payment, the stolen data remained in the possession of the hackers.
  • March 13, 2024: Weeks into the cyberattack, the healthcare sector continued to experience outages, causing significant disruption. Military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing issues. By March 13, Change Healthcare had secured a "safe" copy of the stolen data, enabling the company to begin identifying the individuals affected by the breach.
  • March 28, 2024:The U.S. government increased its reward to $10 million for information leading to the capture of ALPHV/BlackCat leaders. The move was seen as an attempt to encourage insiders within the gang to turn on their leaders, as well as a response to the threat of having a significant portion of Americans' health information potentially published online.
  • April 15, 2024: In mid-April, the affiliate responsible for the hack formed a new extortion group called RansomHub and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data to prove their threat. Ransomware gangs often use "double extortion," where they both encrypt and steal data, threatening to publish the data if the ransom is not paid. The situation raised concerns that UnitedHealth could face further extortion attempts.
  • April 22, 2024: UnitedHealth confirmed that the data breach affected a "substantial proportion of people in America," though the company did not specify the exact number of individuals impacted. UnitedHealth also acknowledged paying a ransom for the data but did not disclose the total number of ransoms paid. The stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, test results, imaging, care plans, and other personal details. Given that Change Healthcare processes data for about one-third of Americans, the breach is likely to have affected over 100 million people.
  • May 1, 2024:UnitedHealth Group CEO Andrew Witty testified before lawmakers, revealing that the hackers gained access to Change Healthcare’s systems through a single user account that was not protected by multi-factor authentication, a basic security measure. The breach, which may have impacted one-third of Americans, was described as entirely preventable.
  • June 20, 2024: On June 20, Change Healthcare began notifying affected hospitals and medical providers about the data that was stolen, as required by HIPAA. The sheer size of the stolen dataset likely contributed to the delay in notifications. Change Healthcare also disclosed the breach on its website, noting that it may not have sufficient contact information for all affected individuals. The U.S. Department of Health and Human Services intervened, allowing affected healthcare providers to request UnitedHealth to notify affected patients on their behalf.
  • July 29, 2024: By late July, Change Healthcare had started sending letters to individuals whose healthcare data was compromised in the ransomware attack. These letters, sent by Change Healthcare or the specific healthcare provider affected by the breach, detailed the types of data that were stolen, including medical and health insurance information, as well as claims and payment details, which may include financial and banking information.

RansomHub Ransomware Targets VMware ESXi Environments with Specialized Encryptor

 

The RansomHub ransomware operation is now employing a Linux encryptor specifically designed to target VMware ESXi environments during corporate attacks.

Launched in February 2024, RansomHub operates as a ransomware-as-a-service (RaaS) with connections to ALPHV/BlackCat and Knight ransomware. The group has claimed over 45 victims across 18 countries.

Since early May, both Windows and Linux RansomHub encryptors have been confirmed. Recently, Recorded Future reported that the group also possesses an ESXi variant, first observed in April 2024. Unlike the Windows and Linux versions written in Go, the ESXi encryptor is a C++ program, likely evolved from the now-defunct Knight ransomware.

Interestingly, Recorded Future identified a bug in the ESXi variant that defenders can exploit to cause the encryptor to enter an endless loop, thereby evading encryption.

Enterprises widely use virtual machines to manage their servers due to their efficient CPU, memory, and storage resource management. Consequently, many ransomware gangs have developed dedicated VMware ESXi encryptors to target these environments. RansomHub's ESXi encryptor supports various command-line options, including setting execution delays, specifying VMs to exclude from encryption, and targeting specific directory paths. 

The encryptor features ESXi-specific commands such as 'vim-cmd vmsvc/getallvms' and 'vim-cmd vmsvc/snapshot.removeall' for snapshot deletion, and 'esxcli vm process kill' for shutting down VMs. It also disables syslog and other critical services to hinder logging and can delete itself after execution to evade detection and analysis.

The encryption scheme uses ChaCha20 with Curve25519 for key generation and targets ESXi-related files like '.vmdk,' '.vmx,' and '.vmsn' with intermittent encryption for faster performance. Specifically, it encrypts only the first megabyte of files larger than 1MB, repeating encryption blocks every 11MB. A 113-byte footer is added to each encrypted file containing the victim's public key, ChaCha20 nonce, and chunks count. The ransom note is written to '/etc/motd' (Message of the Day) and '/usr/lib/vmware/hostd/docroot/ui/index.html' to make it visible on login screens and web interfaces.

Recorded Future analysts discovered that the ESXi variant uses a file named '/tmp/app.pid' to check for an existing instance. If this file contains a process ID, the ransomware attempts to kill that process and then exits. However, if the file contains '-1,' the ransomware enters an infinite loop, trying to kill a non-existent process, thus neutralizing itself.

This means organizations can create a /tmp/app.pid file containing '-1' to protect against the RansomHub ESXi variant, at least until the RaaS operators fix the bug and release updated versions for their affiliates.

Healthcare in Crosshairs: ALPHV/Blackcat Ransomware Threat Escalates, FBI Issues Warning

 

In a joint advisory, the FBI, CISA, and HHS have issued a stark warning to healthcare organizations in the United States about the heightened risk of targeted ALPHV/Blackcat ransomware attacks. This cautionary announcement follows a series of alerts dating back to April 2022 and underscores the severity of the threat posed by the BlackCat cybercrime gang, suspected to be a rebrand of infamous ransomware groups DarkSide and BlackMatter. 

The advisory highlights that ALPHV Blackcat affiliates have shown a notable focus on the healthcare sector. The FBI, in particular, has linked BlackCat to over 60 breaches within its first four months of activity, accumulating a staggering $300 million in ransoms from over 1,000 victims up until September 2023. Recent developments indicate a shift in BlackCat's targeting strategy, with the healthcare sector becoming a prime victim since mid-December 2023. This shift aligns with an administrator's call for affiliates to target hospitals following operational actions against the group and its infrastructure earlier that month. 

Notably, the warning coincides with a cyberattack on UnitedHealth Group subsidiary Optum, affecting Change Healthcare, a crucial payment exchange platform in the U.S. healthcare system. Although not confirmed, the attack has been linked to the BlackCat ransomware group, and sources suggest the threat actors exploited the ScreenConnect auth bypass vulnerability (CVE-2024-1709) for initial access. 

The joint advisory emphasizes the critical need for healthcare organizations, considered part of the nation's critical infrastructure, to implement robust mitigation measures against Blackcat ransomware and data extortion incidents. Authorities urge these entities to bolster cybersecurity safeguards, specifically tailored to counteract prevalent tactics, techniques, and procedures commonly employed in the Healthcare and Public Health (HPH) sector. This development underscores the evolving nature of cyber threats, especially within the healthcare landscape, and the necessity for proactive measures to safeguard sensitive patient data and critical infrastructure. 

The FBI, CISA, and HHS have shared indicators of compromise to assist organizations in identifying potential threats, emphasizing the importance of collaboration to combat the persistent and evolving threat posed by ransomware groups like BlackCat. As the healthcare sector grapples with escalating cyber risks, the advisory serves as a stark reminder of the urgent need for comprehensive cybersecurity measures, including timely patching of vulnerabilities and robust incident response plans. Organizations are encouraged to stay vigilant, collaborate with cybersecurity agencies, and prioritize the security of their networks and systems to mitigate the impact of ransomware attacks. 

The U.S. State Department's substantial rewards for information leading to the identification or location of BlackCat gang leaders underscore the severity of the threat and the government's commitment to dismantling these cybercriminal operations. In this high-stakes environment, the healthcare industry must remain resilient, continually adapting to emerging threats, and fortifying its defenses against ransomware attacks.

The Rise of RustDoor and ALPHV Ransomware



According to a recent finding, cybersecurity researchers at Bitdefender have identified a concerning development in the growing pool of threats, as a new backdoor named Trojan.MAC.RustDoor is targeting macOS users. This particular threat bears connections to the nefarious ransomware family known as BlackCat/ALPHV, which has traditionally focused on Windows systems.

The Trojan.MAC.RustDoor operates by disguising itself as an update for the widely-used Visual Studio code editor, a tactic commonly employed by cybercriminals to deceive unsuspecting users. What sets this backdoor apart is its use of the Rust programming language, making it a unique and sophisticated threat in the macOS workings. Bitdefender's advisory reveals that various iterations of this backdoor have been active for at least three months.

The malware's operating method involves collecting data from users' Desktop and Documents folders, including personal notes, which are then compressed into a ZIP archive. Subsequently, this sensitive information is transmitted to a command-and-control (C2) server, giving the attackers unauthorised access to the compromised systems.

Bitdefender researcher Andrei Lapusneau, in the advisory, emphasises that while there is not enough information to definitively attribute this campaign to a specific threat actor, certain artefacts and indicators of compromise (IoCs) suggest a possible link to the BlackBasta and ALPHV/BlackCat ransomware operators. Notably, three out of the four identified command-and-control servers have previously been associated with ransomware campaigns targeting Windows clients.

It is worth noting that the ALPHV/BlackCat ransomware, like Trojan.MAC.RustDoor, is coded in Rust, indicating a potential connection between the two threats. Historically, the BlackCat/ALPHV ransomware group has predominantly targeted Windows systems, with a particular focus on Microsoft Exchange Services.

As cybersecurity threats continue to multiply its digital presence, it is crucial for macOS users to remain vigilant and take proactive measures to protect their systems. This latest event underscores the importance of staying informed about potential threats and adopting best practices for withstanding cybersecurity hassles.

The users are advised to exercise caution when downloading and installing software updates, especially from unofficial sources. Employing reputable antivirus software and keeping systems up-to-date with the latest security patches can also serve as effective measures to mitigate the risk of falling short to such malicious activities.

The identification of Trojan.MAC.RustDoor serves as a reminder that threats can manifest in unexpected ways, emphasising the need for ongoing practical methods and collaboration within the cybersecurity community to safeguard users against these potential cyber threats.


Cybersecurity Breach Raises Concerns of Data Exposure




In a recent occurrence of a cyber threat, the infamous ransomware gang known as ALPHV, or Blackcat, has claimed responsibility for breaching the Technica Corporation, a company supporting the U.S. Federal Government. ALPHV announced on the dark web that it successfully stole 300GB of data, including classified and top-secret documents related to U.S. intelligence agencies like the FBI. The group threatened to sell or publicly release the data if Technica did not contact them promptly.

The dark web post included a sample of the stolen data, revealing 29 documents, including contracts from the Department of Defense and personal information of Technica employees. The Daily Dot reached out to Technica for confirmation but received no response at the time of press.

Brett Callow, a threat analyst at Emsisoft, highlighted the seriousness of the situation, emphasising that such incidents should not be viewed in isolation. Exfiltrated data could be combined with information from other attacks, amplifying the impact. ALPHV's recent attack follows the takedown of their dark web homepage by the FBI and global intelligence agencies last month. Despite this, the group easily relaunched its site elsewhere on the dark web.

ALPHV gained notoriety for its previous attack on casinos in Las Vegas, causing significant disruption. The group is also known for targeting critical infrastructure and medical facilities, including plastic surgery clinics. The FBI questioned about the alleged breach and the documents obtained by ALPHV, did not respond to inquiries from the Daily Dot.

Within the field of cybersecurity, the recent breach is causing heightened apprehension due to the potential exposure of classified information. Experts stress the need to view these incidents in a broader context, underscoring that the combination of data from various sources could lead to consequences more significant than initially perceived.

ALPHV's history of targeting diverse sectors underscores the need for heightened cybersecurity measures across industries. As the situation unfolds, it emphasises the evolving challenges organisations face in protecting sensitive information from increasingly sophisticated cyber threats.

The ongoing threat posed by ransomware groups like ALPHV highlights the urgency for organisations to bolster their cybersecurity defences and collaborate with law enforcement agencies to address the growing menace of cyber attacks on critical infrastructure and government institutions.


Henry Schein Data Breach: Healthcare Giant Reports Second Attack in Two Months


U.S. based healthcare company Henry Schein has confirmed another cyberattack this month conducted by threat actor ‘BlackCat/ALPHV’ ransomware gang. The company was previously attacked by the same group in October. 

Henry Schein

Henry Schein is a Fortune 500 healthcare products and services provider with operations and affiliates in 32 countries, with approximately $12 billion in revenue reported in 2022. 

It first made public on October 15 that, following a cyberattack the day before, it had to take some systems offline in order to contain the threat.

On November 22, more than a month later, the company announced that parts of its apps and the e-commerce platform had once more been taken down due to another attack that was attributed to the BlackCat ransomware.

"Certain Henry Schein applications, including its ecommerce platform, are currently unavailable. The Company continues to take orders using alternate means and continues to ship to its customers," the announcement said.

"Henry Schein has identified the cause of the occurrence. The threat actor from the previously disclosed cyber incident has claimed responsibility."

Today, the company released a statement, noting that it has restored its U.S. e-commerce platform and that it is expecting its platforms in Canada and Europe to be back online shortly. 

The healthcare services company is apparently still taking orders through alternate methods and distributing them to customers in the affected areas.

Henry Schein’s BlackCat Breach

Following the breach, the ransomware gang BlackCat added Henry Schein to its dark web leak forum, taking responsibility for breaching the company’s network. BlackCat notes that it has stolen 35 terabytes of the company’s crucial data. 

The cybercrime organization claims that they re-encrypted the company's devices while Henry Schein was about to restore its systems, following a breakdown in negotiations toward the end of October.

This would make the event this month the third time that BlackCat has compromised Henry Schein's network and encrypted its computers after doing so on October 15.

"Despite ongoing discussions with Henry's team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network," the threat actors said.

The ransomware group further warned of releasing their internal payroll data and shareholder folders to their collective blog by midnight. 

Initially discovered in November 2021, BlackCat is believed to have rebranded itself from the popular DarkSide/BlackMatter gang. DarkSide has earlier gained global recognition by initiating attacks on Colonial Pipelines, prompting extensive law enforcement probes.

Moreover, the FBI has linked the ransomware group to over 60 breaches, between November 2021 and March 2022, affecting companies globally.  

Japan Aviation Electronics Hit by Cyberattack: Servers Accessed in Security Breach

 


A cyberattack orchestrated by the notorious ALPHV ransomware group has been reported as a direct result of the catastrophic impact on the Japanese Aviation Electronics Industry (JAE). The BlackCat hackers have also been blamed for the attack. 

It was confirmed on November 6 that Japan Aviation Electronics was the victim of a cyberattack on November 2, 2023, which was officially confirmed the following day in an official press release. An external party had gained access to some of the company's servers without authorization from the Internet as a result of finding some servers inaccessible. 

It is unclear what type of data the cybercrooks might have gained access to and how many details the attackers provided about the breach. The ALPHV/Black Cat ransomware gang, which is a gang of cybercriminals, recently added Toyota Aviation Electronics to its list of leak websites, but the company has not yet confirmed whether it is a victim of a ransomware attack or not. 

Recent months have seen a spate of incidents targeting some of the country's biggest companies, with the latest attack occurring shortly after. In the past few months, many companies, including watchmaker Seiko, YKK, pharmaceutical company Eisai, and Japan's largest trading port, have been targeted by cybercriminals for ransomware attacks. 

An incident in January had a major impact on millions of Japanese customers, who had their personal information stolen by insurance firms Zurich and Aflac. The Japanese cybersecurity agency was breached by suspected Chinese hackers earlier this year, potentially allowing them access to sensitive data that had been stored on its networks for nine months and was potentially accessed by the hackers. 

The ALPHV/BlackCat ransomware gang claims to have stolen roughly 150,000 documents from the Japan Aviation Electronics company, including blueprints, contracts, confidential messages, and reports as part of the distribution of its ransomware. Japan Aviation Electronics has found no evidence of data exfiltration from its systems. 

On the Tor network, ALPHV/BlackCat has posted screenshots of allegedly stolen documents from Japan Aviation Electronics on its leaked website. These documents were allegedly stolen from Japan Aviation Electronics within the last 18 months. In response to the cyber-attack against Japan Aviation Electronics, an immediate investigation has been launched to determine the extent of the damage and the efforts being made to restore normal operations. 

There are several systems in the organization that have been temporarily suspended to mitigate the adverse effects of the attack. This has led to some delays in sending and receiving emails, despite the company's diligent efforts to mitigate these effects. 

ALPHV/BlackCat has been active since November 2021 and aims to profit from the ransomware-as-a-service (RaaS) model by exploiting the flaws in the DARPA RR-1 and .NET frameworks to execute ransomware. This first ransomware family written in Rust is likely to be connected to the Darkside gang, which is responsible for Blackmatter. 

As a group, the ALPHV/BlackCat group has been accused of exfiltrating victim data to have access to their customers' and employees' information for extortion purposes, deploying ransomware to encrypt their files, and engaging in extortion tactics such as distributed denial-of-service (DDoS) attacks and harassing them. 

A series of highly targeted cyberattacks have been perpetrated by this group in recent years, and over the years it has become known for its sophisticated and highly targeted attacks. It is common practice for so-called ransomware attacks to encrypt the victim's data and then demand a ransom payment to gain access to the decryption keys for the victim's data. 

Among a growing number of organizations that have been targeted by hackers such as these, the Japanese Aviation Electronics Industry is the latest victim to fall victim. Before this incident, the notorious ALPHV group had announced that Currax Pharmaceuticals had been added to their growing list of victims since it had been compromised by the ALPHV ransomware group. 

A cyberattack on the Institut Technologique FCBA in October 2023 expanded their victim list further. The cyberattack on FCBA was first reported when the ALPHV ransomware group listed the organization's website as a victim, but they added CBS Eastern Europe in the same month to their victim list as well. 

CBS Eastern Europe was the victim of a ransomware attack that was exposed by a hacker behind the ALPHV ransomware group, who complained that the company's response to the breach had not been adequate. 

They claimed responsibility for a cyberattack that took place in February of that year against Reddit, for infiltrations at Canadian software company Constellation Software and intrusions at Western Digital during June and May of 2023. 

Both the company as well as cybersecurity experts are closely monitoring the situation given the ongoing investigation into the cyberattack on Japan Aviation Electronics by the ALPHV ransomware group. Both companies are putting in place safeguards to make sure confidential data and sensitive information are not compromised. 

At the moment, the Japan Aviation Electronics Industry is refocusing on restoring its operations and preventing further interruptions, and the next few days will be crucial for assessing the impact of the attack and taking the necessary steps to prevent future security incidents. 

There is a growing interest among stakeholders in the extent of the breach and the potential impact that it may have on the business and its customers. Further details about this breach are eagerly awaited by stakeholders.