Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HHS. Show all posts

New Trinity Ransomware Strain Targets U.S. Healthcare, Federal Officials Warn

 

A new ransomware strain, known as Trinity, has reportedly compromised at least one healthcare organization in the U.S., according to a recent report from federal authorities.

The U.S. Department of Health and Human Services (HHS) issued a warning on Friday, alerting hospitals about the serious threat posed by the ransomware group. They highlighted that Trinity’s methods make it a "notable risk" to both the U.S. healthcare and public health sectors.

HHS's Health Sector Cybersecurity Coordination Center confirmed that one U.S. healthcare entity has recently fallen victim to the Trinity ransomware, which was first detected around May 2024.

To date, seven victims of Trinity ransomware have been identified, including two healthcare providers—one in the U.K. and another in the U.S. The latter, a gastroenterology services provider, lost 330 GB of data. While the facility remains unnamed, it has been listed on Trinity’s data leak site and is currently facing technical disruptions, including limited phone access.

Additionally, researchers have found another case involving a dental group based in New Jersey.

HHS noted similarities between Trinity and two other ransomware groups—2023Lock and Venus—hinting at potential collaboration between these cybercriminals.

Trinity ransomware mirrors other known operations by exploiting common vulnerabilities to extract data and extort victims.

After installation, the ransomware gathers system information, such as available processors and drives, to escalate its attack. Operators then scan for weaknesses to spread the ransomware within the network.

The files encrypted by the attack are marked with the “trinitylock” extension, and victims receive a ransom note demanding payment within 24 hours, with threats of data exposure if they fail to comply.

At present, there is no available decryption tool for Trinity, leaving victims with few options, according to the HHS advisory.

The attackers operate two websites: one to assist those who pay the ransom with decryption, and another that displays stolen data to extort victims further.

Federal officials have discovered code similarities between the Trinity and Venus ransomware strains, noting identical encryption methods and naming schemes, which suggest a close link between them. Trinity also shares features with 2023Lock, including identical ransom notes and code, implying it could be an updated variant.

Cybersecurity researchers have also pointed out that Trinity may be a rebranded version of both Venus and 2023Lock. According to Allan Liska of Recorded Future, Trinity is "not a highly advanced strain of ransomware," and the attackers do not appear particularly sophisticated.

HHS emphasized that the potential collaboration between these threat actors could enhance the complexity and impact of future ransomware attacks.

Previous HHS warnings have covered other ransomware groups such as Royal, Cuba, Venus, Lorenz, and Hive.

Despite heightened law enforcement efforts, ransomware attacks persist, with operations continuing to generate significant revenue—approximately $450 million in the first half of 2024 alone.

The healthcare sector has been particularly affected by these attacks, causing severe disruptions. Just last week, a Texas hospital, the only level 1 trauma center in a 400-mile radius, had to reduce services and turn away ambulances due to a ransomware incident.

As of Friday, the hospital reported restored phone services, with only a limited number of ambulances being redirected to other facilities.

Microsoft Announces New Deadlines for Windows Updates

 


A July 4 deadline for Windows users who have not updated their systems is fast approaching. It was only two weeks ago that a two-week-old security vulnerability found in Windows was found to have been reactivated. Despite Microsoft's claim that CVE-2024-26169 is not exploitable, Symantec's security researchers believe otherwise, finding “some evidence” that attackers might have prepared an exploit for the CVE-2024-26169 vulnerability before patching the vulnerability. 

As of last month, several U.S. government agencies – including CISA and the FBI – have collaborated on a Cybersecurity Alert which warns that “Black Basta affiliates have compromised a wide range of critical infrastructure, businesses, and industries throughout North America, Europe and Australia.” There are over 500 organizations in the world that have been affected by Black Basta affiliates in the year 2024. 

Several organizations have released the joint CSA, including the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), to provide information regarding the Black Basta attacks, which are referred to hereafter as the authoring organizations. A variant of ransomware known as Black Basta has encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. 

The FBI has conducted investigations into Black Basta and third parties have reported on these TTPs and IOCs. This is a ransomware-as-a-service variant that was first detected in April 2022 and is considered a ransomware-as-a-service (RaaS) variant. It is believed that the Black Basta ransomware will have affected more than 500 organizations globally by May 2024, affecting a wide range of businesses in North America, Europe, and Australia as well as critical infrastructures. 

Black Basta is a Russian-linked ransomware that originated in early 2022. It was used to attack over 329 organizations around the world and has grown to become one of the fourth most active strains of ransomware based on the number of victims. According to the group, they are using double-extortion tactics to extort victims by threatening to publish stolen data unless the victim is willing to pay a ransom. Several researchers have suggested that BlackBasta may have originated as a part of Conti Group, a ransomware gang that has been in operation for quite some time now. 

It has been revealed through the leak of Conti’s online chats that the group had ties to the Russian government and that it supported the invasion of Ukraine. The group ended in May 2022, but its online chats were leaking this information. Affiliates of Black Basta use common methods for gaining access to a system such as phishing emails and exploiting known vulnerabilities then use a double extortion technique to gain access to the system as well as steal data. There are two types of ransom notes: those which include instructions as to how to pay as well as those which do not.

The ransomware group instead gives victims a one-time use private code and instructs them to contact the group via a website that is only accessible through the Tor browser, a URL that contains a .onion extension. According to the majority of ransom notes, victims are usually given between 10 and 12 days before becoming subject to the publication of their data on the Basta News website, which the Black Basta ransomware group runs. Black Basta attacks businesses in a range of different industries, affecting the construction industry (10% of victims), the legal sector (4%) and the real estate sector (3%). This group of ransomware is known as Black Basta and its victimology is very similar to that of the Conti ransomware group.

Both groups have a shared appetite for many of the same industries as Black Basta. Among the victims of Black Basta, 61% are from organizations that are based in the United States, followed by 15% from the German authorities. There are several high-profile victims of Black Basta, which include Capita, a software services company with billions of dollars worth of UK government contracts, and ABB, a company that has more than US$29 billion in revenue. The information regarding whether or not a ransom was paid by either company has not been publicized.

The healthcare industry is an attractive target for cybercriminals due to the size of the organization, the technological dependence, the access to medical information and the unique impact of disruptions to patient care. There are several ways in which a member of the Black Basta organization will gain access to a system, and these methods include phishing emails, exploiting known vulnerabilities, and then using double extortion techniques to gain access to the system as well as stealing data. A ransom note can be divided into two types: those that provide instructions on how to pay the ransom, and those which do not provide instructions. 

As an alternative to encrypting the victims' files, the ransomware group comprises a group of individuals that give victims an individual one-use private code in addition to instructing them to contact the group via a website only accessible by Tor browsers, one that contains a .onion extension on the URL. There is usually between 10 and 12 days of grace allowed to victims according to ransom notes that are generally released by the Black Basta malware group before their data is exposed on Basta News, which is a website that publishes data from the victims. 

It is not uncommon for Black Basta to attack businesses across a wide range of different industries, with 10 per cent of victims coming from the construction industry, 4 per cent from the legal sector, and 3 per cent from the real estate industry. It seems that the Black Basta ransomware group, which has a victimology very similar to that of the Conti ransomware group, has been seen to distribute a similar type of ransomware. There is a clear affinity between the two groups when it comes to several of the same industries as Black Basta.

Black Basta has been responsible for the murder of 61% of American victims, followed by 16% of German victims, and the vast majority of victims belong to organizations based in the United States and Europe. The Black Basta scam has claimed the lives of several high-profile companies, including Capita, a software company with billions of dollars worth of contracts with the British government, and ABB, a company with one of the world's largest revenue bases within the US$29 billion range. Neither company has provided any information regarding a ransom payment that has been made by one of the companies, which is of concern. 

The healthcare industry represents an appealing target for cybercriminals due to several critical factors. Firstly, the sheer size and scale of healthcare organizations make them lucrative targets. Additionally, their substantial reliance on advanced technology heightens vulnerability to cyberattacks. Furthermore, these organizations possess extensive repositories of sensitive medical information, making them particularly attractive to malicious actors. The potential disruptions to patient care resulting from cyber incidents also underscore the unique and profound impact of such breaches within the healthcare sector.

One in Three Healthcare Providers at Risk, Report Finds


 

A recent report reveals that more than a third of healthcare organisations are unprepared for cyberattacks, despite an apparent rise in such incidents. Over the past three years, over 30% of these organisations have faced cyberattacks. The HHS Office for Civil Rights has reported a 256% increase in large data breaches involving hacking over the last five years, highlighting the sector's growing vulnerability.

Sensitive Data at High Risk

Healthcare organisations manage vast amounts of sensitive data, predominantly in digital form. This makes them prime targets for cybercriminals, especially since many operators have not sufficiently encrypted their data at rest or in transit. This lack of security is alarming, considering the high value of protected health information (PHI), which includes patient data, medical records, and insurance details. Such information is often sold on the dark web or used to ransom healthcare providers, forcing them to pay up to avoid losing critical patient data.

In response to the surge in cyberattacks, federal regulators and lawmakers have taken notice. The HHS recently released voluntary cybersecurity guidelines and is considering the introduction of enforceable standards to enhance the sector's defences. However, experts stress that healthcare systems must take proactive measures, such as conducting regular risk analyses, to better prepare for potential threats. Notably, the report found that 37% of healthcare organisations lack a contingency plan for cyberattacks, even though half have experienced such incidents.

To address these challenges, healthcare organisations need to implement several key strategies:

1. Assess Security Risks in IT Infrastructure

Regular cyber risk assessments and security evaluations are essential. These assessments should be conducted annually to identify new vulnerabilities, outdated policies, and security gaps that could jeopardise the organisation. Comprehensive cybersecurity audits, whether internal or by third parties, provide a thorough overview of the entire IT infrastructure, including network, email, and physical device security.

2. Implement Network Segmentation

Network segmentation is an effective practice that divides an organisation's network into smaller, isolated subnetworks. This approach limits data access and makes it difficult for hackers to move laterally within the network if they gain access. Each subnetwork has its own security rules and access privileges, enhancing overall security by preventing unauthorised access to the entire network through a single vulnerability.


3. Enforce Cybersecurity Training and Education

Human error is a growing factor in data breaches. To mitigate this, healthcare organisations must provide comprehensive cybersecurity training to their staff. This includes educating employees on secure password creation, safe internet browsing, recognizing phishing attacks, avoiding unsecured Wi-Fi networks, setting up multi-factor authentication, and protecting sensitive information such as social security numbers and credit card details. Regular updates to training programs are necessary to keep pace with the evolving nature of cyber threats.

By adopting these measures, healthcare organisations can significantly bolster their defences against cyberattacks, safeguarding sensitive patient information and maintaining compliance with HIPAA standards. 


Singing River Health System Suffers Major Data Breach, 895,000 Impacted

 


A ransomware attack that took place in August 2023 is now estimated to have affected 895,204 people within the Singing River Health System. The Singing River Health System operates three hospitals in Mississippi, one in Pascagoula, one in Ocean Springs, and one in Gulfport, which collectively provide over 700 beds to its patients. It is one of the largest healthcare providers in Mississippi. It employs a total of 3,500 people, and it also operates two hospices, four pharmacies, six imaging centres, ten speciality centres, and twelve medical clinics throughout the Gulf Coast region. 

The impacted hospitals were experiencing major IT system outages for several services, including laboratory testing and radiology testing. At the time, Singing River said it was working to process all paper-ordered lab tests and radiology exams as quickly as possible, depending on the priority of the exam. It was revealed by the healthcare organization on September 13, 2023, that a data breach had taken place, and in December 2023 the organization announced that 252,890 individuals were affected by the incident. 

According to a new update shared by the Maine Attorney General, the company reported that 895,204 people were affected by the incident. An August 31, 2023, disclosure from the healthcare system was the first time it reported the breach. As of the time of this writing, the US Department of Health and Human Services (HHS) Office for Civil Rights has been informed of the breach as impacting at least 501 individuals. 

The number will be determined once internal and external investigations have been completed. It has been confirmed that the data exposed to the public is a combination of full names, dates of birth, physical addresses, Social Security Numbers (SSNs), medical information, and health information, according to the latest information in the data breach report and on the organization's website. Singing River assured everyone that despite these issues, they have yet to find evidence that the threat actors were using the data to commit identity fraud or theft. 

It is also worth noting that the company also offers two-year credit monitoring services and identity restoration services to those who may be affected by this. A ransomware group known as Rhysida has been reported as responsible for the attack, making it one of the most serious cybercriminals groups targeting healthcare providers. Approximately 80% of the data that the threat actors claim to have gained from the Singing River has been exposed thus far, which includes 420,766 files totalling 754 GB in size, which comes with a catalogue of 420,766 files that they claim have gained from the Singing River. 

Threat actors will no doubt take advantage of these opportunities to generate other illicit activities, such as phishing if the stolen data includes details that can provide additional information. Due to this, recipients of the free identity restoration and monitoring services provided by the Federal Trade Commission are recommended to immediately apply for them to avoid becoming victims of such campaigns. 

A ransomware gang known as Rhysida was responsible for the attack, as well as other healthcare systems including Prospect Medical Holdings and Lurie Children's Hospital. According to the Health Sector Cybersecurity Coordination Center at HHS, the group has targeted educational institutions, the manufacturing industry, as well as the Chilean army in the past, as well as numerous other institutions.   
The IDX recommendation is that impacted individuals enrol in IDX's services as soon as possible, act with caution when responding to unsolicited communications, monitor all accounts for suspicious activity, and consider placing a security freeze on their credit reports to protect themselves. Threat actors are becoming increasingly attracted to the healthcare sector due to its data holdings and the importance of these data for a community or country, thus making it a highly attractive target for data breach attacks. 

In a cyberattack that occurred last week, DocGo, a provider of mobile medical services, was compromised. For individuals who have been impacted by the SRHS, IDX identity theft protection is offering a free twelve months of credit monitoring services provided by IDX for twenty-four hours a day. Moreover, the company offers guidance on how to prevent identity theft and fraud, which includes steps to report suspicious incidences, as well as placing fraud alerts or security freezes on the credit record to protect the information. 

As well as that, they will be providing information on how users can protect themselves from tax fraud, how to contact consumer reporting agencies, and how to get a free credit report. A report by the Singing River Health System has reviewed the account statements of individuals impacted by the breach and recommended that they monitor their credit reports and account statements closely. 

In the wake of a recent ransomware attack on the Singing River Health System, which resulted in the theft of data belonging to 895,000 individuals, authorities are urging affected persons to take immediate action. It is strongly recommended that anyone who suspects they may be a victim of identity theft or fraud report these incidents to the appropriate authorities without delay. 

Key organizations to contact include the Federal Trade Commission (FTC), which handles consumer complaints and can guide users in protecting their identity. Additionally, individuals should reach out to their state's Attorney General's office, which often has resources and support for victims of identity theft. Reporting the incident to local law enforcement is also crucial, as it helps authorities track and investigate such crimes. By taking these steps, individuals can not only protect themselves from further harm but also assist in the broader effort to combat cybercrime and bring those responsible to justice.

Ransomware Vendetta: Rhysida Group Strikes Prospect Medical, Warns of Auctioning Stolen Data

 


It has been claimed that Rhysida, an ever-evolving ransomware group, is responsible for the recent cyberattack on Prospect Medical Holdings during which hospitals and medical facilities in four states have been attacked. As a result, Prospect Medical Holdings was forced to take its systems down earlier this month. 

The Prospect Health Group operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island, as well as more than 165 clinics and outpatient facilities throughout these states. According to Callow, many US healthcare systems have been affected by ransomware this year, infecting at least 53 hospitals under their control, and at least 20 of these organizations have had their data stolen as a result of the attack. 

The Department of Health and Human Services issued an alert earlier this month to warn people about Rhysida, a ransomware-as-a-service group that first arose in mid-May. The group is currently in its infancy and does not have some advanced features such as plaintext strings that reveal registry modification commands as well as some advanced features such as plaintext strings that display registry management commands. 

There have been major attacks on organizations in several sectors including education, government, manufacturing, technology, and managed service providers by Rhysida. As part of its ongoing data leak investigation, the Federal Bureau of Investigation has revealed that most of the data stolen from eleven victims have been uploaded to the threat actor's data leak site between June and the beginning of August. 

As a result of a cyberattack launched by the Rhysida ransomware group on Prospect Medical Holdings, the group claims to have gained access to 500,000 social security numbers, confidential corporate records, and patient records from the company. 

A ransom note was reportedly displayed on employee screens the day after the attack, warning that their network had been compromised and their devices had been encrypted as a result of the attack, which was believed to have occurred on August 3rd. 

There is a claim that Rhysida has more than one terabyte of stolen data on her hands, along with an SQL database containing more than 1.3 terabytes of data. In the listing on the dark web, the group offered to sell the data for 50 bitcoin, which would equate to roughly $1.3 million, based on the listing that was made available. 

BleepingComputer later found out that the Rhysida ransomware gang was behind the attack even though PMH did not respond to questions about the security incident. According to current reports, PMH hospital networks, including CharterCare, have been able to successfully restore the functionality of the hospital networks' systems. However, efforts remain ongoing to make sure that patient records are reinstated as soon as possible. 

Earlier this month, the Department of Health and Human Services (HHS) warned that the hacker group Rhysida seemed to be responsible for recent attacks against healthcare organizations, with a claim of responsibility for the attack on Prospect Medical. Described by the Department of Health and Human Services (HHS) as a new ransomware-as-a-service (RaaS) group, Rhysida has emerged since May 2023. 

An HHS official said the group encrypts a target's networks through Cobalt Strike and phishing attacks to breach their targets' networks and plant their malicious payloads on those networks. Once the victim has not paid the ransom, the group threatens the victim by releasing all of the data that has been exfiltrated. HHS has indicated that Rhysida is still in its infancy and there are limited advanced features that it has developed, as evidenced by its name Rhysida-0.1, and the lack of advanced features. 

According to the report, the ransomware also leaves PDF notes in the affected folders instructing victims to contact the group through their portal and pay in Bitcoin. There are numerous countries across Western Europe, North and South America, as well as Australia that have been affected by Rhysida and its victims. 

It is primarily focused on the education, government, manufacturing technology, and managed services industries that are attacked by these cyber criminals. As exemplified by the attack on PMH, they have recently attacked the healthcare and public health sectors, and this has had a significant impact on the healthcare industry. There have been several ransomware gangs who have claimed credit for attacks in the past, including Rhysida, said Emily Phelps, director at Cyware.

Block KillNet's DDoS Bots Using These Proxy IP Addresses

 


The US government has issued a warning about the Russian cybercrime gang stepping up its attacks against hospitals and health clinics by flooding their networks and using, as part of its warning, a free tool that is designed to help organizations defend against KillNet distributed-denial-of-service (DDoS) bots. 

Currently, tens of thousands of proxy IP addresses are listed on the KillNet open proxy IP blocklist. These IP addresses are being used by Russian hackers in their attempts to flood networks with traffic. Following the investigation that SecurityScorecard's threat researchers conducted on Killnet and other network spamming miscreants, the security company built this list of threats.

Although DDoS attacks are relatively unsophisticated, like many other attacks, they can still take a serious toll, especially when they disrupt hospitals, according to a recent blog post by the security firm using KillNet as an example. 

A website taken down by the Russian gang toward the end of January was one of 14 hospitals targeted in the United States. The University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai Medical Center, among others, were some of the hospitals. There are several reasons for using DDoS attacks, one of which is to mask more intrusive activities. 

A report released by the US Department of Health and Human Services (HHS) on Wednesday confirmed that KillNet is a threat to the healthcare sector and prompted DHS to issue a second warning. A similar security alert has been issued by the Department of Homeland Security twice in the last few months.  

It is common for pro-Kremlin supporters to attach an ideological bent to their attacks - sometimes using empty threats to convey their message. "Killmilk, one of the leading members of the KillNet group, has threatened the US Congress with the sale of the health and personal information of American citizens to attack US policies concerned with Ukraine," according to the December security alert from HHS. According to the US, the planned attack has not yet been carried out. 

In a similar vein, the gang threatened to attack ventilators and other technical devices in British hospitals if another alleged KillNet criminal arrested in London in May was not released as soon as he was arrested. 

Although KillNet may claim to have carried out attacks on the US military, it is wise to take its claims with a pinch of salt, according to HHS. Given the fact that the group tends to exaggerate, there is a possibility that some of these operational and development announcements may simply be meant to garner attention, both publicly and within the cybercrime underground. According to the FBI and private security researchers, the group's DDoS campaigns have been viewed as publicity stunts, which, as annoying as they have been, have had "limited success." 

A Public Relations Stunt That Could Turn Wrong   

KillNet claimed responsibility on October 10 for deactivating more than a dozen websites associated with US airports as part of an attack aimed at knocking the websites offline. Although the large-scale DDoS attack was disruptive, it did not disrupt air travel or harm the operation of the airports. 

As soon as someone claimed to have unleashed a second bot army against JPMorgan Chase a day later, the same criminals saw similarly feeble results. In my opinion, some PR agency is trying to increase their budget for PR. 

It was then that at the beginning of November, a US Treasury official announced that the department had halted a "pretty low-level" DDOS attack designed to disrupt critical infrastructure nodes in the department, also attributed to Killnet.  

KillNet's DDoS attacks usually do not cause major damage but they have the potential to disrupt healthcare organizations and the millions of patients they serve for hours, days, or even weeks - and this can be especially damaging to organizations and patients in the healthcare sector.  

It has been reported that these bots are flooding the network traffic of patients and doctors, preventing them from sending and receiving health information online and making it harder for patients to schedule appointments in the future.  

Furthermore, sometimes miscreants use DDoS attacks as a distraction for their security teams to keep their attention while they work on more dangerous attacks, including the theft of sensitive information or the deployment of ransomware. 

According to HHS, it is likely that pro-Russian ransomware groups, including those that were part of the defunct Conti group, will respond to KillNet's appeal and offer support. These results will most likely lead to KillNet targeting entities that will be victimized by extortion or DDoS attacks as a means of extortion, a tactic that several ransomware groups have employed.