Ransomware Overview: Possible Double Extortion of Change Healthcare; LockBit reorganizes; and more
This week, the specter of a potential double extortion attack by RansomHub looming over Change Healthcare following the ALPHV cyberattack in February became apparent across the healthcare cybersecurity landscape.
Furthermore, a whirlwind of news on LockBit predicts a complicated story about international espionage and potential new threats to healthcare organizations from this group. We spoke with several cybersecurity leaders this week about healthcare insights.
Double extortion for Change Healthcare
Multiple sources reported that the RansomHub ransomware-as-a-service group claimed possession of 4TB of stolen Change Healthcare data and threatened to make it public if a ransom is not paid.
“Double extortion actually seems completely in line with what they could do,” Joel Burleson-Davis, senior vice president of global cyber engineering at Imprivata, said by email Friday.
“The other dynamic is that these are business models, so if they want a payout, they have to hold up their end of the bargain, kind of a contract situation. Double extortion is like a risk-reward scenario for their future business model,” he says. explained.
Last month, SOCRadar posted one RansomHub profile and reported that, unlike other ransomware groups, the group’s ransom payments are initially sent to affiliates in the amount of 90%.
Meanwhile, vx-underground, a trove of malware source code samples and information, according to its X profile, said on Monday that ALPHV branches have moved to RansomHub.
“Change Healthcare and UnitedHealth, you have one chance to protect your customers’ data. The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared or posted,” the group reportedly posted on Monday, according to a screenshot a group called Dark Web Informer shared on the social media platform X.
Also on RansomHub’s allegedly dark website page, the group added: “We have the data and not ALPHV.”
The Justice Department announced in December that it had seized ALPHV Blackcat, but the Blackcat group subsequently claimed responsibility for the Change Healthcare attack in February, reporting that they had medical, insurance and dental records, along with payment and claims data and patients’ personally identifiable information. with data from US Army/Navy personnel.
In March, ALPHV reported the ransom payment, and the site was closed after a second seizure by police.
Whether the group is a related or unrelated group of threat actors trying to get UnitedHealth Group to pay more than the $22 million in Bitcoin it may have already paid to help restore Change Healthcare systems and reduce pressure on providers after the ransomware fallout, the potential Leakage of the massive amount of protected health data is alarming for the entire healthcare ecosystem.
Greg Surla told it Healthcare IT news On Thursday, the risk of such a large-scale data breach at healthcare organizations is ‘complex and disturbing’.
“This new threat of second-party data exposure reinforces the importance of business continuity planning, as it can be difficult to predict when an attack is truly over,” he emphasized by email.
“Additionally, the latest developments intensify the need to ensure that PHI is protected using strong security controls, in line with industry best practices, and that any breaches following a breach are reported to (US Health and Human) without significant delay Services) and affected individuals.”
Burleson-Davis added that a potential double extortion scenario is “why we need more regulation around third-party access” and that robust security programs, such as privileged access management tools, “can avoid some of these things.”
“(UHG) has probably done as much forensics as possible and if they were to commit an undetected second offense, it really could be a second actor. But what can you say that there is no third or fourth?,” he explained. Healthcare IT news.
“The fact that there is additional activity that appears to be a second offense or a double extortion means they are still in the thick of this and not out of the woods yet,” he added. “If there are now many different actors in their system, the road to recovery will be much longer, much more expensive and much more impactful.
“How do they know they are clean? This creates a huge risk profile.”
SC Media noted in his report On Monday, RansomHub will give UHG and Optum 12 days to pay or Change Healthcare’s data will be leaked.
Researchers unravel LockBit
In February, DOJ and the U.S. Federal Bureau of Investigation announced that an international team of law enforcement officials worked together through a coordinated, government-led ransomware defense campaign called Operation Cronos and seized the Lockbit ransomware gang’s servers and provided decryptors to numerous organizations in different sectors.
Lockbit, a ransomware group known to attack healthcare organizations — though it apologized to Toronto-based SickKids and offered a decryptor in 2023 — doesn’t appear to be going down without a fight.
Last week, Trend Micro released details on how LockBit functioned after the Operation Cronos disruption. The company said while we try to stay afloat with a new versionSince the group is most likely working on LockBit 4.0, it may have recently released the LockBit-NG-Dev variant.
After investigating the threat actors associated with the group, Trend Micro researchers said they question LockBit’s ability to attract top partners based on the group’s “logistical, technical and reputational” failures in 2023.
There was also speculation on Thursday that LockBit will be rebranded as DarkVault, according to one Cyber news report.
Meanwhile, an unnamed source told Bloomberg on Wednesday that law enforcement investigators have linked pseudonyms used by the LockBit hacking gang to specific individuals and that they maintaining a list of 200 leads to LockBit employees.
The DOJ, in announcing the seizure of LockBit’s assets, said it had also opened charges in New Jersey and California against Russian nationals Artur Sungatov and Ivan Kondratyev, also known as cybercriminal Bassterlord, for using LockBit against numerous victims in the United States.
Sungatov and Kondratyev are not in custody but have been sanctioned by the U.S. Treasury Department, according to a February 2011 report. story in TechCrunch, this means that any connection from a US company or individual that pays for it carries the risk of fines and/or criminal prosecution.
Microsoft CVEs doubled in April
The Cybersecurity and Infrastructure Security Agency has a emergency directive last week to address the impact on federal agencies of a Microsoft breach.
“The Russian state-sponsored cyber actor known as Midnight Blizzard exfiltrated email correspondence between Federal Civilian Executive Branch agencies and Microsoft through a successful compromise of Microsoft corporate email accounts,” CISA said in the April 2 announcement .
The FCEB agencies are required to “analyze the contents of exfiltrated emails, reset compromised credentials, and take additional steps to ensure that authentication tools for privileged Microsoft Azure accounts are secure,” the U.S. cybersecurity agency said.
It’s a big month for common Microsoft security vulnerabilities and exposures that all industries, including healthcare IT, should pay attention to.
Tyler Reguly, senior manager of security research and development at security firm Fortra, said on Patch Tuesday this week that the 149 CVEs Microsoft released in April will keep companies busy.
“We saw 56, 73 and 61 Microsoft-issued CVEs released for January, February and March,” he said by email.
“What’s most striking is that a third of the vulnerabilities involve Microsoft Security Boot or Microsoft SQL Server. Additionally, Azure features, including Microsoft Defender for (Internet of Things), are responsible for 15 of the CVEs patched this month ” he added. .
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.