The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services on Tuesday revised their joint ALPHV Blackcat cybersecurity alert to disseminate new indicators of compromises observed this month.
Blackcat also reportedly claimed to have exfiltrated 6T bytes of Change Healthcare data and denied using the ConnectWise ScreenConnect vulnerability to gain access.
WHY IT MATTERS
The battle between ALPHV Blackcat and U.S. cyber defenses continues as the healthcare industry bears the brunt of attacks in response to a U.S.-led law enforcement operation that hacked the darknet website and infrastructure of Russia-based ALPHV, or Blackcat, ransomware in December seized.
The latest in the joint advice from the FBI, CISA and HHS on the ransomware variant provides new updates for the latest versions released on December 19 and for the FBI FLASH Blackcat/ALPHV Ransomware Indicators of Compromise released on April 19, 2022.
“FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the mitigation section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents,” the agencies said.
Beeping computer reported On Wednesday, in a statement published on the Blackcat dark web leak site, the cybercriminals claimed to have stolen 6TB of data including the US military’s Tricare health program, Medicare, CVS Caremark, MetLife, Health Net and others from the Change Healthcare network breach .
According to the article, Blackcat claimed to have medical, insurance, and dental records, along with payment and claims records and the personally identifiable information of patients and active U.S. military/naval personnel.
THE BIG TREND
Groups including the American Hospital Association and the Health Information Sharing and Analysis Center also informed the healthcare industry on Tuesday that there will be more victims in the coming days from the Change Healthcare cyberattack of February 21.
Rick Pollack, president and CEO of AHA, said the following Cybersecurity attack change is a ‘life-threatening crime’ in a call with hospital leaders on Friday.
While H-ISAC discussed network indicators affecting ScreenConnect Remote Access in its bulletin, Blackcat denied that affiliates that breached Change Healthcare’s network were using an access bypass flaw that has since been patched, according to the story on Beeping computer.
In the meantime, CNN reported on the Change cyber attack inconvenience for providers where some said they are struggling to find solutions for payments. Some patients and caregivers also told the outlet they were unable to refill or obtain essential medications.
ON THE RECORD
“Since mid-December 2023, of the almost 70 leaked victims, the healthcare sector has been the most victimized,” the agencies said in the revised joint advice from ALPHV Blackcat.
“This is likely in response to the ALPHV Blackcat administrator’s post encouraging its subsidiaries to target hospitals following operational action against the group and its infrastructure in early December 2023.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.