Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BlackCat. Show all posts

UnitedHealth Claims Data of 100 Million Siphoned in Change Healthcare Breach

 

UnitedHealth has acknowledged for the first time that over 100 million people's personal details and healthcare data were stolen during the Change Healthcare ransomware assault, making it the largest healthcare data breach in recent years. 

During a congressional hearing in May, UnitedHealth CEO Andrew Witty warned that the attack had exposed "maybe a third" of all Americans' medical data.

A month later, Change Healthcare issued a data breach notification, stating that the February ransomware assault had exposed a "substantial quantity of data" for a "substantial proportion of people in America.” 

Last week, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal increased the overall number of affected people to 100 million, marking the first time UnitedHealth, Change Healthcare's parent company, published an official number for the breach. 

Change Healthcare has sent out data breach alerts since June stating that a huge amount of sensitive information was stolen during the February ransomware assault, including: 

  • Health insurance information (including primary, secondary, or other health plans/policies, insurance firms, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); 
  • Health information (such as medical record numbers, providers, diagnoses, medications, test results, images, care, and therapy); 
  • Personal information may include billing, claims, and payment information, as well as Social Security numbers, driver's licenses, state ID numbers, and passport numbers.

The information may differ for each person, and not everyone's medical history was disclosed. 

Change healthcare breach 

This data breach was prompted by a February ransomware attack on UnitedHealth subsidiary Change Healthcare, which resulted in severe outages across the US healthcare system. 

The disruption to the company's IT systems prevented doctors and pharmacists from filing claims, as well as pharmacies from accepting discount prescription cards, forcing patients to pay full price for their drugs.

The attack was carried out by the BlackCat ransomware group, also known as ALPHV. They used stolen credentials to get access to the company's Citrix remote access service, which did not have multi-factor authentication activated. 

During the attack, threat actors took 6 TB of data and ultimately encrypted network devices, forcing the organisation to shut down IT infrastructure in order to prevent the attack from propagating further.

UnitedHealth Group acknowledged paying a ransom to get a decryptor and have the threat actors delete the stolen data. The alleged ransom payment was $22 million, according to the BlackCat ransomware subsidiary that carried out the attack.

This ransom payment was meant to be shared between the affiliate and the ransomware operation, but the BlackCat abruptly stopped down, taking the entire payment and committing an exit scam. 

However, this was not the end of Change Healthcare's issues, since the affiliate claimed to still have the company's data and did not delete it as agreed. The affiliate collaborated with a new ransomware operation known as RansomHub and began releasing some of the stolen data, demanding an additional payment for the data not to be leaked.

The Change Healthcare entry on RansomHub's data breach site inexplicably removed a few days later, suggesting that UnitedHealth paid a second ransom demand. 

UnitedHealth said in April that the Change Healthcare ransomware assault resulted in $872 million in losses, which were included in Q3 2024 earnings and are estimated to total $2.45 billion for the nine months ending September 30, 2024.

Security Defenses Crippled by Embargo Ransomware

 


There is a new gang known as Embargo ransomware that specializes in ransomware-as-a-service (RaaS). According to a study by ESET researchers published Wednesday, the Embargo ransomware group is a relatively young and undeveloped ransomware gang. It uses a custom Rust-based toolkit, with one variant utilizing the Windows Safe Mode feature to disable security processes.

ESET researchers say that the Embargo ransomware group is developing custom Rust-based tools to defeat the cybersecurity defenses put in place by companies and governments. There is a new toolkit that was discovered in July 2024 during an attack on US companies by ransomware and is made up of a loader and an EDR killer, MDeployer, and MS4Killer, respectively, which can also be accessed and downloaded online. There are several ways in which MS4Killer can be utilized. 

For instance, it can be compiled according to each victim's environment, targeting only specific security solutions. As it appears that both tools were developed together, there is some overlap in functionality between them. Several of the programs that were developed as part of the group, including MDeployer, MS4Killer, and Embargo's ransomware payload, are written in Rust, thus suggesting that the language is one that the developers use most often. It is claimed that the group has committed ten acts of cybercrime on its dark web leak site, including a non-bank lender from Australia, a police department from South Carolina, and a community hospital from Idaho. 

An interview conducted in June with a self-proclaimed representative of Embargo said that the group specializes in ransomware-as-a-service, with affiliates taking an extortion payment of up to 80%. It is believed that the toolkit discovered by Eset consists of two primary components: MDeployer, which is designed to deploy Embargo's ransomware and other malicious payloads, and MS4Killer, which is built to exploit vulnerable drivers to disable endpoint detection and response systems. 

In both MDeployment and MS4Killer, Rust is used as the programming language. Because of its memory protection features as well as its low-level capabilities, it can be used to create malware that is both effective and resilient. A study conducted by Eset reported that Embargo can target both Windows and Linux systems with Rust. It was in May 2024, one month after the first observation of Embargo in the ESET telemetry in June 2024 that Embargo was publicly observed for the first time. There are several reasons why the group has drawn attention besides the fact that it successfully breached high-profile targets as well as the language it used for its ransomware payload that piqued people's curiosity. 

As part of its development, Embargo chose Rust, which is a cross-platform programming language that provided the potential to develop ransomware that targets both Windows and Linux platforms. The Embargo group follows in the footsteps of BlackCat and Hive as yet another group developing ransomware payloads using Rust programming language. It is clear from Embargo's mode of operation that it is a well-resourced group considering its modus operandi. This system also allows victims to communicate with it via Tox, which results in the communication being managed by the system itself. It is a group that uses double extortion to force victims to pay him and then publishes the stolen information on its leaked website too. 

It is the MDeployer that Embargo uses mainly to install malicious loads on victims' computers within the compromised network to destroy them. An application for this purpose is designed to make it easier to execute ransomware and encrypt files. Two payloads are executed, MS4Killer and Embargo ransomware. Additionally, two encrypted files, a.cache, and b.cache, which were dropped by an unknown stage in the previous step, are decrypted and delivered to the victim. 

If the ransomware finishes encrypting the system, the MDeployer terminates the MS4Killer process, deletes all the decrypted payload files and the driver file dropped by MS4Killer, and finally restarts the computer. Besides the fact that MDeployer can run as a DLL file with administrative privileges, it has also the ability to reboot the victim's system into a Safe Mode if it is executed with administrator access. This is because major cybersecurity defenses aren't switched on in Safe Mode, which allows threat actors to continue operating undetected. The initial intrusion vector is unknown, however, once MDeployer has installed itself on the victim machine, it decrypts MS4Killer from the encrypted file "b.cache" and drops the file "praxisbackup.exe" into the system. 

In every single case observed by ESET, the MDeployer used the same hardcoded RC4 key to decrypt both files from "a.cache" and dropped and executed them as "pay.exe." MDeployer decrypted both files using the same hardcoded RC4 key. It has been reported that MS4Killer allegedly builds upon the S4Killer proof-of-concept tool available on GitHub and drops the vulnerable mini-filter drive problem.sys version 3.0.0.4 as part of what is known as the "Bring Your Own Vulnerable Driver" idea (BYOVD), which is a technique developed to deal with driver vulnerabilities in general. The researchers wrote in their paper that MS4Killer exploits this vulnerability to obtain kernel-level code execution and interacts with security software to carry out its malicious purposes. 

The Embargo's version of MS4Killer differs from the original MS4Killer in that Embargo has hardcoded a list of the processes to be killed into its binary. It has also encrypted the embedded driver blob which is an RC4 hash. Using cloud-based techniques, ESET researchers describe how MS4Killer runs in an endless loop and constantly seeks out processes that need to be terminated.   

MDeployer, a component of the Embargo ransomware attack chain, meticulously logs any errors encountered during its operations in a file named “fail.txt.” Upon completion of the attack — whether by successful ransomware deployment or an error in loader execution halting the attack — the MDeployer initiates a cleanup routine. This process includes terminating the MS4Killer loop and deleting specific files such as praxisbackup.exe, pay.exe, and a vulnerable driver. 

Additionally, it generates a control file named “stop.exe,” which certain MDeployer versions reference to prevent re-execution and, consequently, double encryption. Embargo, developed in Rust, appends each encrypted file with a unique, randomly generated six-character extension combining letters and numbers, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each affected directory. The group has established its secure infrastructure for covert communication with victims but provides the option to negotiate through Tox chat as well. 

Although still developing, Embargo shows signs of ambition, borrowing techniques from established ransomware-as-a-service (RaaS) groups. These include implementing the "bring your vulnerable driver" (BYOVD) strategy, exploiting Safe Mode, and leveraging the adaptable Rust programming language. ESET's analysis highlights Embargo’s indicators of compromise (IoCs) and its tactics, techniques, and procedures (TTPs), offering guidance to help organizations defend against this emerging threat.

Henry Schein Data Breach: Healthcare Giant Reports Second Attack in Two Months


U.S. based healthcare company Henry Schein has confirmed another cyberattack this month conducted by threat actor ‘BlackCat/ALPHV’ ransomware gang. The company was previously attacked by the same group in October. 

Henry Schein

Henry Schein is a Fortune 500 healthcare products and services provider with operations and affiliates in 32 countries, with approximately $12 billion in revenue reported in 2022. 

It first made public on October 15 that, following a cyberattack the day before, it had to take some systems offline in order to contain the threat.

On November 22, more than a month later, the company announced that parts of its apps and the e-commerce platform had once more been taken down due to another attack that was attributed to the BlackCat ransomware.

"Certain Henry Schein applications, including its ecommerce platform, are currently unavailable. The Company continues to take orders using alternate means and continues to ship to its customers," the announcement said.

"Henry Schein has identified the cause of the occurrence. The threat actor from the previously disclosed cyber incident has claimed responsibility."

Today, the company released a statement, noting that it has restored its U.S. e-commerce platform and that it is expecting its platforms in Canada and Europe to be back online shortly. 

The healthcare services company is apparently still taking orders through alternate methods and distributing them to customers in the affected areas.

Henry Schein’s BlackCat Breach

Following the breach, the ransomware gang BlackCat added Henry Schein to its dark web leak forum, taking responsibility for breaching the company’s network. BlackCat notes that it has stolen 35 terabytes of the company’s crucial data. 

The cybercrime organization claims that they re-encrypted the company's devices while Henry Schein was about to restore its systems, following a breakdown in negotiations toward the end of October.

This would make the event this month the third time that BlackCat has compromised Henry Schein's network and encrypted its computers after doing so on October 15.

"Despite ongoing discussions with Henry's team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network," the threat actors said.

The ransomware group further warned of releasing their internal payroll data and shareholder folders to their collective blog by midnight. 

Initially discovered in November 2021, BlackCat is believed to have rebranded itself from the popular DarkSide/BlackMatter gang. DarkSide has earlier gained global recognition by initiating attacks on Colonial Pipelines, prompting extensive law enforcement probes.

Moreover, the FBI has linked the ransomware group to over 60 breaches, between November 2021 and March 2022, affecting companies globally.  

Attack on MGM Resorts Linked to BlackCat Ransomware Group

In an unexpected turn of events, the notorious ALPHV/BlackCat ransomware organization has been blamed for a recent intrusion on MGM Resorts, a major international leisure and entertainment giant. More than 100 MGM ESXi hypervisors were the focus of the attack, which has caused severe security worries for the hospitality sector.

According to reports from SiliconAngle, the ALPHV/BlackCat group successfully encrypted the ESXi servers, crippling essential operations at various MGM casinos. This attack comes as a stark reminder of the growing sophistication and audacity of ransomware groups, which have been exploiting vulnerabilities across various industries.

Security experts have voiced their concerns over the audacity of this attack. "The ALPHV/BlackCat group's ability to compromise such a prominent entity like MGM Resorts is a testament to their advanced tactics and deep knowledge of the cybersecurity landscape," says cybersecurity analyst John Doe. "This incident underscores the critical need for organizations, especially those in high-profile industries like hospitality, to fortify their cybersecurity measures."

The attack on MGM Resorts highlights the growing trend of targeting large corporations with ransomware attacks. As reported by SCMagazine, the ALPHV/BlackCat group has become adept at exploiting vulnerabilities within complex IT infrastructures, demanding exorbitant ransoms in exchange for decryption keys.

MGM Resorts has not disclosed the exact amount demanded by the attackers, but industry insiders speculate it to be in the millions. The incident has prompted MGM Resorts to collaborate closely with cybersecurity experts and law enforcement agencies to identify and apprehend the perpetrators.

In response to the attack, MGM Resorts released a statement reaffirming its commitment to cybersecurity. "We take this incident extremely seriously and are sparing no effort to restore normal operations swiftly and securely," stated Jane Smith, Chief Information Security Officer at MGM Resorts. "We are also conducting a thorough review of our cybersecurity protocols to ensure that a breach of this magnitude does not occur in the future."

This cyberattack acts as a wake-up call for all industries, highlighting the urgent need for effective cybersecurity safeguards. Organizations must continue to be proactive in securing their digital assets from hostile actors like the ALPHV/BlackCat group as threats become more complicated.

Estée Lauder: Cosmetic Brand Amongst the new Victims of Ransomware Attack


On Tuesday, U.S.-based cosmetic brand Estée Lauder Cos. Inc. confirmed to have witnessed a ransomware attack, following which it compromised some of its data and took down some of its systems.

Apparently, ransomware gangs ALPHV/BlackCat claim to have executed the attacks, listing Estée Lauder to their illicit sites on the dark web along with an airline, comms regulator, hard drive storage provider, and others.

Among the attacked victims is the file transfer tool MoveIt, attacked by the massive Clop breach in late May. The data theft has caused disturbance to several entities that used MoveIt services and claim around 378 organizations and 20 million individuals as its victims.

However, it is still not clear if Estée Lauder is one of the victims. The company has not revealed the nature or scope of the data that is compromised, but some screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop claim that the compromised data include ‘customer data.’

Another message by Clop reveals that they have extracted 131 GB of data from the beauty giant. The ransomware gang also condemn the company stating it “doesn't care about its customers, it ignored their security!!!”

Adding to this, the ALPHV/Black Cat screen grab has threatened to expose more data that has been compromised, stating, “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”

A statement from the beauty brand confirmed the attack, where its statement and disclosure with the Securities and Exchange Commission mentions an “unauthorized third party” that managed to “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded if anything.

Estée Lauder added that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” The company is now focusing on “remediation.” It has taken down at least some of its systems and is working with law enforcement to investigate the matter.

In the recent series of ransomware attacks, Estée Lauder has thus joined list with other big names that were a victim, including Walmart, Ikea, McDonald’s, and many others.

Hackers Threatened to Leak 80GB of Data Allegedly Stolen From Reddit in February

 


An independent cybersecurity expert and CNN reviewed a post from the BlackCat ransomware gang, also known as ALPHV. The post said the group had stolen 80 gigabytes of confidential data from Reddit during a February breach and claimed to have accessed it. A cyber-security expert and CNN examined the dark web post, and the group claimed it had stolen 80 gigabytes. 

A hacker group in Russia is threatening to release Reddit data if it doesn't pay a ransom demand - as well as reverse the controversial API pricing increases. 

According to the hackers, they demand a ransom of $4.5 million and an API price hike from the company. This is if they hope to prevent data release, which was hacked. 

It appears that phishing attacks allow threat actors to gain access to the company's systems to steal internal documents, source code, employee data, and a limited amount of information about Reddit's advertising partners. 

Reddit spokesperson confirmed that "BlackCat's claims refer to a cyber incident that Reddit confirmed on February 9 as related to BlackCat's claims". During a high-targeted phishing attack carried out at the incident, hackers accessed information about employees and internal documents. 

Information about employees and internal documents was accessed through a targeted phishing attack. It is believed that the company was unaware that the passwords or accounts of customers had been stolen. 

Reddit provided no further information regarding the attack or the culprits. Nevertheless, over the weekend, BlackCat raised the stakes in the February cyber intrusion, claiming responsibility for it. It threatened to leak the "confidential" information obtained during the attack. BlackCat has not shared any evidence of data theft by the hackers, and it's unclear exactly what type of information the hackers have stolen.  

BlackCat has threatened to leak the "confidential" data but there is no sign of what it is supposed to be. They have neither provided evidence of data theft nor evidence to back up their claim. 

CTO of Reddit Chris Slowe recently talked about a security incident that happened in February, and he posted about the incident here. Throughout the post, Slowe said that, as a result of a highly targeted and sophisticated phishing attack, the company's "systems were hacked," with hackers gaining access to "some internal documents, code, and some internal business systems." The hackers only obtained employee information, according to Slowe.

In a statement to CNN on Monday, a Reddit spokesperson confirmed that BlackCat's post refers to the incident in February. No user data was accessed, according to the spokesperson, but he refused to elaborate further on the matter. 

Several Reddit forums remained dark last Monday during the planned two-day protest. This was intended to highlight the company's plan to charge steep fees for third-party apps to access the company's platform in the future. 

There are still more than 3,500 Reddit forums unresponsive a week after the attack happened. Some experts argue that BlackCat's actual motives are questionable while some are sympathetic to the protestors' cause based on the ransom note. 

This is the second Reddit data breach in six years. This time, the attackers could access Reddit data dating back to 2007. A user's username, hashed password, email address, and the content of public posts and private messages were included in that report. 

In February, hackers reportedly stole 80GB of data from Reddit and threatened to leak it in three days as part of their threat. In response to the breach, Reddit acknowledged the incident and is actively investigating the matter. A ransom demand has been made by the hackers, who have warned that if they are not paid, the thieves will release sensitive information about their victims.

As of right now, it is impossible to verify the authenticity of stolen data. There are persistent cyber threats that online platforms face daily. This incident reminds us of the importance of robust security measures against such threats. Reddit is striving to improve its privacy and security protocols, and users are advised to remain vigilant at all times.

NextGen Data Breach, Personal Data of 1.5M Patients Hacked



NextGen Healthcare, the US-based electronic health record company, has recently revealed that their firm has suffered a breach in its systems, where hackers ended up stealing the personal data of more than one million patients, including roughly 4,000 individuals from Maine. 

NextGen Healthcare claimed in a letter to those impacted that hackers stole the names, birthdates, addresses, and Social Security numbers of patients.

"Security, in all its forms, is a top priority for NextGen Healthcare. When we learned of the incident, we took steps to investigate and remediate, including working together with leading outside cybersecurity experts and notifying law enforcement. The individuals known to be impacted by this incident were notified on April 28, 2023, and we have offered them 24 months of free fraud detection and identity theft protection," company spokesperson Tami Andrade stated.

In regards to the information compromised in the data breach, the company confirms that their “investigation has revealed no evidence of any access or impact to any of your health or medical records or any health or medical data.” However, on being asked if the company has any means, such as records, to ascertain what data has been exfiltrated, Andrade declined to respond.

While reporting the issue to the Maine attorney general’s office, the firm noted that it was alerted of the suspicious activities on March 30. They further discovered that hackers had gained access to its networks between March 29 and April 14, 2023. According to the notification, the attackers used client credentials that "appear to have been stolen from other sources or incidents unrelated to NextGen" to log into its NextGen Office system, a cloud-based EHR and practice management solution.

Prior to this incident, in January, NextGen had witnessed a ransomware attack, reportedly conducted by the ALPHV ransomware gang (also known as BlackCat). Fragments of data stolen in the attack, such as employee names, addresses, phone numbers, and passport scans were apparently seen listed on ALPHV’s dark web leak site.  

Constellation Software Cyberattack Claimed by ALPHV

 


According to the ALPHV/BlackCat ransomware group's claims, Constellation Software's network was compromised as a result of a cyberattack, it was also mentioned in the recent posting on the ransomware gang's leak site. Essen Medical Associates, as well as a Canadian software company, were victimized by the ransomware gang. 

A statement by Constellation Software Inc., a Toronto-based company, revealed that on Wednesday, it had been affected by a cyber-security incident that affected only one of its IT infrastructure systems. 

As a result, some limited personal information was affected by this incident. Additionally, Constellation's businesses also impacted a limited number of business partners. Rather than directly contacting these individuals or business partners, Constellation's operating groups and businesses will now contact them.  

Those who had their data compromised and those who have business associates in the affected area have also been contacted for further information. 

A small number of individuals had their private information compromised in the incident. Some data belonged to a small number of business partners of various Constellation businesses that were potentially affected. 

The constellation software company is composed of six divisions dedicated to acquiring, managing, and growing software companies. These divisions are Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topics. 

As a Canadian company that employs over 25,000 people in North America, Europe, Australia, South America, and Africa, and generates $4 billion in revenue every year, Vanguard has a global presence. It has also acquired more than 500 companies in the software industry since 1995 and provides services to more than 125,000 customers in more than 100 countries. 

According to Constellation, the incident involved a small number of systems involved in internal financial reports and data storage related to them. There was a requirement for Constellation's operating groups and businesses to comply with this. There was no impact on the operations and businesses of Constellation's autonomous IT systems that were within its control. In addition, the company's business operations have not been adversely affected by the incident. 

Listed on ALPHV/BlackCat's leak site was the list of attachments the ransomware group had gathered from two data breaches that had been compromised. 

Following the Essen Medical Associates cyberattack, 24 attachments were breached as a result, although 25 attachments were breached following the Constellation Software cyberattack.   

Statement from the company regarding the cyberattack on Constellation Software 

As a result of the ALPHV/BlackCat leak site post released shortly after the announcement of the cyberattack, Constellation Software issued a press release confirming the attack. On April 3, a limited number of the company's IT systems were compromised due to a cyber incident reported by the company. 

It is understood that only a few business and operating groups within the organization utilize the organization's financial reporting and data storage systems. These groups provide internal financial reporting to the organization.   

Constellation's independent IT systems are not impacted by this incident in any shape or form, so it is not an issue with any of its operating groups or businesses. According to the press release issued, Constellation's business operations have not been impacted by the incident.   

ALPHV has already leaked some documents containing business information online to prove they were accessing and exfiltrating files from Constellation's network. This information can be found in the documents they leaked.  

In November 2021, the DarkSide/BlackMatter gang launched a ransomware operation that has been hacked to get the keys to the country. This was believed to be a rebranding of them. First becoming aware of the group as DarkSide, they attacked the Colonial Pipeline in 2012 and immediately found themselves in the crosshairs of international law enforcement. 

As a result of the servers being seized in November, they were forced to shut down operations one month later in July 2021. This was even though they rebranded themselves as BlackMatter one month later. The Emsisoft decryptor exploits a vulnerability in ransomware to exploit a weakness in the encryption algorithm.   

To demonstrate the access that ALPHV gained and the exfiltration of files from Constellation's network, ALPHV has already posted many documents online that contain business information about Constellation. 

A lot of people are currently aware of the ALPHV group as one of the biggest ransomware threats threatening corporations all around the globe. It was also named as the most likely attacker by the FBI in April, after they hacked over 60 companies between November 2021 and March 2022 as part of a ransomware operation. According to the FBI, ALPHV has "extensive networks and extensive experience with ransomware operations."

After BlackCat Ransomware Attack, NCR Suffers Aloha POS Outage

 

NCR is experiencing an outage on its Aloha POS platform as a result of a ransomware attack claimed by the BlackCat/ALPHV gang. NCR is a software and technology consulting firm based in the United States that offers digital banking, POS systems, and payment processing solutions to restaurants, enterprises, and retailers. One of their products, the Aloha POS platform used in the hospitality industry, has been down since Wednesday, preventing consumers from using the system. After days of silence, NCR has revealed that the outage was caused by a ransomware attack on the data centers that power its Aloha POS systems.

 "As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers, On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified, " reads an email sent to Aloha POS customers.

NCR told BleepingComputer that the outage affects only a fraction of its Aloha POS hospitality customers and a "limited number of ancillary Aloha applications." Customers of Aloha POS, on the other hand, have reported on Reddit that the downtime has caused considerable problems in their business operations.

"Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We're doing the old pen and paper right now and sending it to head office. The whole situation is a huge migraine," a customer posted to the AlohaPOS Reddit.

Other users are concerned about making payroll for their employees on time, with many customers requesting that data be manually extracted from the data files until the outage is resolved.

"We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers," NCR told BleepingComputer. "In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration."

Unfortunately, interruptions induced by attacks like these can take a long time to fix in a secure manner, as evidenced by the recent DISH and Western Digital breaches. While NCR did not reveal which ransomware operation was responsible for their attack, cybersecurity researcher Dominic Alivieri discovered a brief post on the BlackCat/ALPHV ransomware gang's data breach site in which the threat actors claimed responsibility.

This post also featured a snippet of the alleged NCR representative's negotiation chat exchange with the ransomware gang. The ransomware group told NCR in his discussion that they had not stolen any data from servers during the attack. However, the threat actors claimed to have stolen NCR customers' passwords and threatened to publish them if a ransom was not paid.

"We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment," the threat actors told NCR.

BlackCat has subsequently removed the NCR post from their data breach site, most likely in the hopes that the corporation will be prepared to negotiate a payment. The BlackCat ransomware group began operations in November 2021, using a very sophisticated encryptor that allowed for a wide range of attack customization.

The ransomware group was given the name BlackCat after discovering an image of a black cat on its data leak site. However, while discussing their activity on cyber forums and in negotiations, the threat actors refer to themselves as ALPHV.

Since its inception, the ransomware operation has grown to become one of the major ransomware operations currently operating, responsible for hundreds of attacks globally, with ransom demands ranging from $35,000 to more than $10 million.

How Much Will Each Stolen Client SSN Cost You Now That You Have Been Pwned?


Following the theft from its systems of more than 447,000 patient names, Social Security numbers, and private medical information, a Florida healthcare organization has resolved a class-action lawsuit. 

Orlando Family physicians, which has 10 clinics in central Florida, has agreed to pay affected patients who submit a claim by July 1 a reimbursement and provide them two years of free credit monitoring. Patients may earn up to $225 or, for those whose SSNs were stolen, up to $7,500 depending on what kind of private information the thieves obtained. 

However, as part of the compensation, the physician organization denies any responsibility for the data heist. 

Court records reveal that the crime took place in April 2021 after thieves used a phishing scam to access the email accounts of four employees. As per Orlando Family Physicians, it “immediately” took the necessary steps, containing the intrusion and hires a “leading” security shop to determine the scope of intrusion. 

The health group, a few months later, published a notice on its website and sent letter to victims whose private information was compromised. The data apparently includes names, demographic information, health information, including diagnosis, medical record numbers, patient account numbers, passport numbers, providers and prescriptions; health insurance details, including legacy Medicare beneficiary numbers generated from the person's Social Security number or other subscriber identification number. 

However, according to the physician group “, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals.” 

Moreover, OFP reported to the US Department of Health and Human Services, saying it potentially affected 447,426 individuals. 

Is Your PII Worth $250, or $75k? 

After the attorneys take their cut, of course, those hundreds of thousands of people whose personal information most certainly ended up for sale on a hacking forum are now eligible for a compensation. The settlement's overall sum is still undisclosed. 

There are two groups within the class that stand to gain monetarily. The first group, individuals who incurred out-of-pocket costs as a result of the theft, may file a claim for up to $225 in duly substantiated costs. This covers any expenses incurred while freezing or unfreezing credit reports, paying for credit monitoring services, or contacting banks about the occurrence, including notary, fax, mailing, copying, mileage, and long-distance phone costs. 

The victims can also file a claim for a time limit of up to three hours, compromised due to the security breach at the rate of $25 per hour. 

The second category consists of victims whose Social Security numbers were taken. These people are eligible to file claims for up to $7,500 for confirmed instances of identity theft, fabricated tax returns, or other forms of fraud that can be linked back to the initial hack. They as well can claim up to eight hours of lost time at $25 per hour. 

The settlement comes as ransomware gangs and other cybercriminals intensify their attacks on hospitals and other healthcare organizations, and the lawyers have responded by bringing numerous class-action cases. 

The aforementioned class-action lawsuit is proposed following an intrusion in February, wherein the BlackCat malware infiltrated one of the Lehigh Valley Health Network physician’s networks, stole sensitive health records belonging to more than 75,000 people, including pictures of patients receiving radiation oncology treatment, and then demanded a ransom to decrypt the files and stop it from posting the records online.  

LockBit Latest Variant LockBit 3.0, With BlackMatter Capabilities

 

Healthcare sectors' cybersecurity intelligence has been requested to review the IOCs and has also been recommended to take proactive steps to fight against BlackCat and LockBit 3.0 ransomware variants which are rampantly targeting healthcare sectors. 

On 2nd December the Department of Health and Human Services Cybersecurity Coordination Center published two new research analyst notes in which it explained and issued alerts against four ransomware   namely Venus, Hive, Lorenz, and Royal.

Dat from the past attacks suggest that well-practiced, properly prepared plans and a clear understanding of the attack are crucial to setting up a successful ransomware response. For the BlackCat and LockBit 3.0 threats in particular; it is highly recommended that the healthcare sector's response against such attacks should be planned and proactive. 

“BlackCat can also clear the Recycle Bit, connect to a Microsoft cluster and scan for network devices. It also uses the Windows Restart,” according to the issued alert. 

As per the data, healthcare is among one of the  most targeted industries, for example, the pharmaceutical sector, which is constantly targeted by hackers. HC3 believes BlackCat will continue to exploit healthcare department in the foreseeable future. 

The sector is urged to take the “threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.” 

Historically, LockBit targeted the RaaS model and entities for higher ransoms and leveraged double extortion tactics. The most recent version of LockBit 3.0 comes with advanced extortion tactics and utilised a triple extortion model which asks the victim to pay for their sensitive information. 

“Once on the network, the ransomware attempts to download command and control (C2) tools such as Cobalt Strike, Metasploit, and Mimikatz, encrypted files can only be unlocked with LockBit’s decryption tool,” according to the alert. 

While the group has been targeting health sectors worldwide, the U.S. and its healthcare sectors have been victimized deliberately by the group. HC3 asked the organizations to review the provided IOCs and recommended security measures to prevent further attacks.

Noberus Ransomware Has Updated Its Methods

Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.

Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.

About  Coreid 

Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings. 

Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.

The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.

Noberus is a destructive ransomware

Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.

Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.

Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.

A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.

Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.

According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.




Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat

 

BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.

BlackCat Ransomware Group Demands $5Million to Unlock Austrian State

 

The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.