Healthcare businesses have been known to be the target of highly sophisticated ransomware attacks like LockBit 3.0 and BlackCat.
Two new analyst notes from the HHS Health Sector Cybersecurity Coordination Center (HC3) describe the strategies and signs of compromise for LockBit 3.0 and BlackCat. The healthcare industry has been targeted by the BlackCat ransomware variant and the LockBit ransomware family.
Healthcare organisations should exercise caution and implement suggested risk mitigations.
LOCKBIT 3.0
The most recent version of the LockBit ransomware family, which has been attacking businesses since at least September 2019, is LockBit 3.0. Numerous alerts and analyst comments about LockBit have been provided by HC3 and the Federal Bureau of Investigation (FBI).
A dual citizen of Canada and Russia was recently prosecuted by the Department of Justice (DOJ) for allegedly taking part in the LockBit ransomware campaign around the world.
According to the analyst report, LockBit 3.0, also known as LockBit Black, was first identified in June 2022 using a novel triple extortion methodology as opposed to its customary double extortion strategy. Threat actors frequently demand money to decrypt data, threaten to reveal sensitive information, and demand payment from their victims in exchange for the release of their sensitive data. The ransomware-as-a-service (RaaS) business model is used by LockBit.
LockBit 3.0 attacks have been reported against the Healthcare and Public Healthcare (HPH) sector, according to HC3. LockBit 3.0 should be viewed as a danger to the HPH sector because ransomware has historically targeted the healthcare industry.
Security researchers and analysts have found LockBit 3.0 to be challenging, in large part because the malware occasionally requests a different 32-character password each time it is activated, “providing it anti-analysis features,” according to HC3.
The threat actor has occasionally provided screenshots as confirmation that the network has been hacked in the HPH sector, and he or she has threatened to disclose the stolen data after a predetermined period of time, according to the analyst note.
In addition to advising the healthcare industry to protect itself from phishing and remote desktop protocol (RDP) attacks, HC3 provided links to security research with in-depth indicators of compromise.
BLACKCAT
A extremely sophisticated ransomware strain that has been active since November 2021 and uses a RaaS model is called BlackCat, also known as ALPHV or Noberus. Researchers think that the famed REvil, BlackMatter, and Darkside ransomware operators have been succeeded by BlackCat.
The analyst report said, “It is very capable and is thought to be managed by persons with significant experience as cybercriminals, who have extensive ties with other key actors within the cybercriminal ecosystem.
The healthcare and public health (HPH) industry has reportedly been targeted by BlackCat, and this is likely to continue. The HPH should take this issue seriously and implement the necessary defensive and mitigating measures to safeguard its infrastructure.
BlackCat poses a significant and dynamic threat to potential victims because to its great degree of customizability and ongoing improvement. One of the more adaptable ransomware operations in the globe, according to HC3, was this variation.
According to experts, “like all ransomware-as-a-service (RaaS) operations, the BlackCat operators hire affiliates to carry out corporate hacks and encrypt devices, while keeping control of code development and maintenance for themselves.”
BlackCat can be set up to use DotPattern, Fast, SmartPattern, or full file encryption. In order to spread ransomware, BlackCat can also be configured with domain credentials.
The FBI and HC3 advised enterprises to use mitigations including network segmentation and multifactor authentication to guard against common attack vectors. Additionally, businesses should audit user accounts with administrator rights, block unnecessary remote access, and check antivirus records.
