Ransomware roundup: Attainable Change Healthcare double extortion, LockBit reorganizes and extra

Photo of author

By Calvin S. Nelson



It grew to become clear throughout the healthcare cybersecurity panorama this week that the specter of a possible double-extortion assault by RansomHub is looming over Change Healthcare, following the February cyberattack by ALPHV.

Additional, a whirlwind of reports on LockBit begins an advanced story of worldwide espionage and potential new threats to healthcare organizations from this group. We spoke to a number of cybersecurity leaders this week for healthcare’s takeaways.

Double extortion for Change Healthcare

A number of sources reported the RansomHub ransomware-as-a-service group claimed possession of 4TB of stolen Change Healthcare knowledge and was threatening to make it public until a ransom was paid.

“Double extortion really appears fully according to what they could do,” Joel Burleson-Davis, senior vp of worldwide engineering of cyber at Imprivata, mentioned by electronic mail Friday. 

“The opposite dynamic is that these are enterprise fashions, so if they need payout, they should maintain up their finish of the discount, type of like a contract state of affairs. Double extortion is sort of a threat/reward situation for his or her future enterprise mannequin,” he defined. 

Final month, SOCRadar posted a RansomHub profile and reported that, in distinction to different ransomware teams, the group’s ransom funds are initially despatched to associates for a take of 90%.

In the meantime, vx-underground, a trove of malware supply code samples and data, in line with its X profile, mentioned Monday that ALPHV associates moved to RansomHub.

“Change Healthcare and UnitedHealth, you’ve gotten one probability to defending your shoppers knowledge. The information has not been leaked anyplace and any first rate menace intelligence would affirm that the information has not been shared nor posted,” the group allegedly posted Monday, in line with a screenshot a bunch referred to as Darkish Internet Informer shared on X. 

Additionally on the alleged RansomHub darkish web site web page, the group added, “We have now the information and never ALPHV.”

The Division of Justice introduced it seized ALPHV Blackcat in December, however then the Blackcat group claimed duty for the Change Healthcare assault in February and reported having medical, insurance coverage and dental information, together with fee and claims knowledge and the personally identifiable info of sufferers, together with U.S. navy/navy personnel knowledge. 

In March, ALPHV listed the ransom fee, and the positioning shut down with a second legislation enforcement seizure, notices the investigating businesses denied posting. 

Whether or not the group is a associated or unrelated set of menace actors making an attempt to get UnitedHealth Group to pay greater than the $22 million price of Bitcoin it might have already paid to assist restore Change Healthcare techniques and launch pressure on suppliers after the ransomware outage, the potential to leak the large trove of protected well being knowledge is alarming for your entire healthcare ecosystem.

Greg Surla advised Healthcare IT Information Thursday the danger of such a large-scale knowledge breach on healthcare organizations is “advanced and disturbing.” 

“This new menace of knowledge publicity from a second get together reinforces the significance of business-continuity planning as it might be tough to foretell when an assault is really over,” he confused by electronic mail.

“Moreover, the most recent developments intensify the necessity to make sure that PHI is protected utilizing sturdy safety controls, aligned with trade greatest practices and any breaches are reported to [U.S. Health and Human Services] and affected people with out important delay following a breach.”

Burleson-Davis added {that a} potential double-extortion situation is “why we want extra rules round third-party entry” and strong safety packages, like privileged access-management instruments, that “can keep away from some of these things.”

“[UHG] has probably completed as a lot forensics as potential and if that they had an undetected second breach, it actually could possibly be a second actor performing. However what’s to say there’s not a 3rd, or fourth?” he defined to Healthcare IT Information

“The truth that there’s extra exercise that appears like a second breach or a double extortion implies that they’re nonetheless within the thick of this and never out of the woods but,” he added. “If there’s many various actors current of their system now, the street to restoration shall be manner longer, far more costly and far more impactful.

“How do they know they’re clear? This creates an enormous threat profile.”

SC Media famous in its report Monday that RansomHub is giving UHG and Optum 12 days to pay, or will leak Change Healthcare’s knowledge.

Researchers unravel LockBit

In February, DOJ and the U.S. Federal Bureau of Investigation introduced a global group of legislation enforcement officers collaborated by way of a coordinated government-led ransomware protection marketing campaign referred to as Operation Cronos and seized the Lockbit ransomware gang servers, offering decryptors to quite a few organizations throughout sectors.

Lockbit, a ransomware group identified to assault healthcare organizations – though it apologized to Toronto-based SickKids and provided a decryptor in 2023 – seems it is not going to go down and not using a combat.

Final week, Pattern Micro launched particulars on how LockBit operated after the disruption of Operation Cronos. The corporate mentioned, whereas making an attempt to remain afloat with a brand new model, because the group is probably engaged on LockBit 4.0, it might have lately launched the variant LockBit-NG-Dev. 

After researching the menace actors related to the group, Pattern Micro researchers mentioned they query LockBit’s skill to draw high associates, primarily based on the group’s “logistical, technical and reputational” failures in 2023.

There was additionally hypothesis on Thursday that LockBit is rebranding as DarkVault, in line with a Cybernews report.

In the meantime, an unnamed supply advised Bloomberg Wednesday that legislation enforcement investigators have linked pseudonyms utilized by the LockBit hacking gang to particular people, and are monitoring down a listing of 200 leads to LockBit associates. 

The DOJ additionally mentioned, when it introduced the seizure of LockBit’s property, that it unsealed indictments in New Jersey and California for the Russian nationals Artur Sungatov and Ivan Kondratyev, also called the cybercriminal Bassterlord, for deploying LockBit towards quite a few victims all through the USA. 

Sungatov and Kondratyev usually are not in custody however have been sanctioned by the U.S. Treasury, in line with a February story in TechCrunch, that means any connection by any U.S. enterprise or particular person to paying them runs the danger of fines and/or legal prosecution.

Microsoft CVEs double in April

The Cybersecurity and Infrastructure Safety Company issued an emergency directive final week to deal with the impression on federal businesses from a breach of Microsoft.

“The Russian state-sponsored cyber actor often known as Midnight Blizzard has exfiltrated electronic mail correspondence between Federal Civilian Govt Department businesses and Microsoft by way of a profitable compromise of Microsoft company electronic mail accounts,” CISA mentioned within the April 2 announcement.

The FCEB businesses are required to “analyze the content material of exfiltrated emails, reset compromised credentials and take extra steps to make sure authentication instruments for privileged Microsoft Azure accounts are safe,” the highest U.S. cybersecurity company mentioned. 

It is a large month for Microsoft safety widespread vulnerabilities and exposures that every one sectors, together with healthcare IT, ought to take note of. 

Tyler Reguly, senior supervisor of safety analysis and growth at safety agency Fortra, mentioned on Patch Tuesday this week that the 149 CVEs Microsoft issued in April will maintain enterprises busy.

“We noticed 56, 73 and 61 Microsoft-issued CVEs launched for January, February and March,” he mentioned by electronic mail. 

“What’s most notable is {that a} third of the vulnerabilities reference both Microsoft Safety Boot or Microsoft SQL Server. Moreover, Azure options, together with Microsoft Defender for [Internet of Things], account for 15 of the CVEs patched this month,” he added.

Andrea Fox is senior editor of Healthcare IT Information.
E-mail: afox@himss.org

Healthcare IT Information is a HIMSS Media publication.

Leave a Comment