Fraud Management & Cybercrime , Healthcare , Industry Specific

BlackCat Pounces on Health Sector After Federal Takedown

Feds Issue Alert as Change Healthcare Hack Affects Medicare, CVS Caremark, MetLife
BlackCat Pounces on Health Sector After Federal Takedown

U.S. authorities have been trying to shut down the BlackCat ransomware-as-a-service group for over a year. The relatively young group, also known as Alphv, has built a notorious reputation, grabbing headlines in March 2023 when it leaked stolen photos of breast cancer patients in an extortion attempt against a group of Pennsylvania cancer clinics.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The FBI, posing as an affiliate, infiltrated the ransomware group's operation and developed a tool that could decrypt the systems of more than 500 BlackCat victims. Then, agents in December seized the group's data leak site and its Tox peer-to-peer instant messaging account - though the leak site was back in BlackCat's control within a week (see: FBI Seizes BlackCat Infrastructure, Group Has New Domain).

In retaliation for the attempted takedown, federal authorities say the BlackCat administrator posted a note "encouraging its affiliates to target hospitals."

On Wednesday, the Russian-speaking group claimed on its dark web site that it is behind the biggest healthcare hack so far the year - exfiltrating 6 terabytes of "highly selective data" relating to "all" Change Healthcare clients, including Tricare, Medicare, CVS Caremark, MetLife, Loomis, Davis Vision, Health Net, Teachers Health Trusts "and tens of insurance and other companies." (See: Change Healthcare Outage Hits Military Pharmacies Worldwide).

On Thursday, Optum confirmed in a statement that the attack on its IT services unit, Change Healthcare, had been perpetrated by cybercriminals claiming to be BlackCat/Alphv.*

A joint warning from CISA, the FBI and the U.S. Department of Health and Human Services on Tuesday makes no mention of the Change Healthcare incident but says Alphv/BlackCat affiliates have posted notices on nearly 70 leaked victims since mid-December 2023, and the healthcare sector has been the most victimized.

The cyberattack on Change Healthcare has been disrupting scores of the company's healthcare sector clients since last week, including the companies listed on the BlackCat leak site (see: Change Healthcare Outage Disrupts Firms Nationwide).

A CVS spokesman in a statement to Information Security Media Group said the company has seen the BlackCat claims, but "at this time, Change Healthcare has not confirmed whether any CVS Health member or patient information that it holds, including CVS Caremark information, was affected by this incident.

"Change Healthcare's network interruption is impacting certain CVS Health business operation and our business continuity plans remain in place to minimize disruption of services."

HHS in a statement to ISMG on Thursday said it is working closely with Optum "to assess the cyber incident and its impact on patient care. The incident is a reminder to all healthcare providers and contractors to stay vigilant."**

Other clients listed by BlackCat did not immediately respond to ISMG's requests for comment on BlackCat's claims.

Weeklong Outage, So Far

Optum, a unit of UnitedHealth Group, has been responding to the Feb. 21 attack on Change Healthcare for more than a week, and 119 software components are still offline as of Wednesday morning, when the company issued a status update (see: Groups Warn Health Sector of Change Healthcare Cyber Fallout).

Last week, UnitedHealth Group, in a filing to the U.S. Securities and Exchange Commission, said the incident involves "a suspected nation-state associated cyber security threat actor" who gained access to some of the Change Healthcare IT systems.

Change Healthcare's IT products - which run the gamut from healthcare revenue cycle management to pharmacy benefits and claims management applications, are used to process 15 billion healthcare transactions annually, with the company's clinical connectivity solutions "touching" 1 in 3 patient records in the U.S., according to Change Healthcare's website.

Optum did not immediately respond to ISMG's requests for additional details about the Change Healthcare incident.

In previous claims posted on its site, BlackCat asserted that it didn't target healthcare providers, though the affiliates are known to go after insurance companies, pharmaceutical companies and other related vendors.

Agencies' Warnings

The U.S. government agencies' joint advisory this week said affiliates are being encouraged to target providers and the threat actors have "improvised communication methods by creating victim-specific emails to notify of the initial compromise."

The FBI, CISA and HHS encourage critical infrastructure organizations to implement a list of recommended mitigations to reduce the likelihood and impact of Alphv BlackCat ransomware and data extortion incidents.

Urgent recommended mitigation actions include taking inventory of assets and data to identify authorized and unauthorized devices and software, prioritizing remediation of known exploited vulnerabilities, enabling and enforcing multifactor authentication with strong passwords, and closing unused ports and removing applications not deemed necessary for day-to-day operations.

Further recommended mitigations include securing remote access tools, implementing application controls to manage and execute software such as allowlisting remote access programs, and implementing FIDO/WebAuthn authentication or public key infrastructure-based multifactor authentication to reduce the risk of phishing, push bombing or SIM swap attacks, "which are techniques known be used by ALPHV BlackCat affiliates," the advisory said.

The alert also advises entities to use network monitoring tools to identify, detect and investigate abnormal activity and potential traversal of ransomware; regularly train users to identify social engineering and phishing attacks; monitor internal mail and messaging traffic to identify suspicious activity; install and maintain antivirus software; and implement "free" security tools to prevent cyberthreat actors from redirecting users to malicious websites to steal their credentials.

The alert says that in February 2023, Alphv/BlackCat announced the ALPHV BlackCat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as improved defense evasion and additional tooling. "This ALPHV BlackCat update has the capability to encrypt both Windows and Linux devices, and VMware instances. ALPHV BlackCat affiliates have extensive networks and experience with ransomware and data extortion operations," the alert said.

Alphv/BlackCat affiliates use advanced social engineering techniques and open-source research on a company to gain initial access, the alert says. That includes threat actors posing as IT or help desk staff to obtain credentials from employees to access the target network.

"Some ALPHV BlackCat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV BlackCat affiliates communicate with victims via TOR [S0183], Tox, email, or encrypted applications. The threat actors then delete victim data from the victim's system," the advisory says.

Among the long list of IoCs contained in the advisory is a network IOC - "Domain Fisa99.screenconnect[.]com ScreenConnect Remote Access" - involving ConnectWise ScreenConnect remote access tool.

Security researchers have speculated in recent days that the Change Healthcare attack involved exploitation of ScreenConnect vulnerabilities. But ConnectWise maintains that it has not found any definitive link between the attack and exploitation of ScreenConnect flaws.

BlackCat also dismissed the claims. "We did not use ConnectWise as our initial access," the gang wrote as a P.S. on its dark web post about the Change Healthcare attack.

ConnectWise Connection, Disconnected?

ConnectWise has maintained that it is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on Feb. 19, and the incident at Change Healthcare.

"Our internal reviews have yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of managed service providers have come forward with any information regarding their association with Change Healthcare," ConnectWise said in a statement Tuesday night.

"As typical examples, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities," ConnectWise said.

Yelisey Bohuslavskiy, co-founder and chief research officer at threat intelligence firm RedSense, which had found indicators that the Change Healthcare incident involved a ScreenConnect exploit, told ISMG on Wednesday that use of several attack vectors and possibly even several initial access vectors "is not only possible in this case but is most likely the only option."

"For both nation-state groups and with ransomware, the actor utilizing a CVE for initial access will always use a more traditional method at the same time, he said. "The few examples of ransomware weaponization of CVEs - Conti with Log4J being the most illustrative one - always had three vectors - the CVE itself, use of pre-exposed credentials, and traditional precursor deployment - botnet like Qbot dropping CS as an example," he said.

"Patching is still critical."

Critical Measures

When data security incidents such as the Change Healthcare attacks occur, related parties, vendors and organizations need to react quickly to evaluate whether they might have been exposed as a result of the breach and whether there are any indicators that require further action, said Claude Mandy, chief evangelist of data security at security firm Symmetry Systems.

"Organizations in healthcare sector will obviously be on high alert as a result of the continued targeting of healthcare, but organizations with ties to the impacted parties should be proactively investigating any activity and rotating potentially compromised credentials," he said.

The common thread that connects many attacks in the healthcare sector is the perception of those organizations by threat actors as "easy pickings" compared to other sectors, said Bud Broomhead, CEO at security firm Viakoo. That is in part due to healthcare's extensive use of IoT devices and applications, its highly complex environment with many visitors and contractors, and IT resources that historically have been stretched thin, he said.

"The key lessons for organizations doing business with healthcare organizations is to follow best practices around vendor and supply chain management: Perform cyber audits and surveys to understand the security posture of the organization you’re working with, ensure they have a timely communications policy in case of breach, and prioritize security scores in making vendor selection," he said.

*Update: Feb. 29, 2024 UTC 18:12 to reflect Optum's confirmation that the attack on Change Healthcare was carried out by BlackCat.

**Update: Feb. 29, 2024 UTC 18:14 to include HHS' statement.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.