Skip to content Skip to footer

US Government Warns of BlackCat Ransomware Resurgence in Healthcare Sector

The healthcare sector in the United States is currently facing a resurgence of BlackCat attacks, also known as ALPHV. The U.S. issued an updated advisory warning about this development, stating that since mid-December 2023, almost 70 leaked victims have been reported, with the healthcare sector being the most commonly victimized. The reason for this is a post by the ALPHV/BlackCat administrator that encouraged its affiliates to target hospitals after operational action was taken against the group and its infrastructure in early December 2023.

The Federal Bureau of Investigation (FBI), the and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have jointly released this alert. While BlackCat suffered a significant setback last year, following a coordinated enforcement operation that resulted in the seizure of its dark leak sites, the group has regained control of these sites and even switched to a new active TOR data leak portal.

BlackCat has also been targeting critical infrastructure organizations recently, claiming responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum. As a result, the U.S. has announced financial rewards of up to $15 million for information leading to identifying key members and affiliates of this e-crime group.

Furthermore, BlackCat's ransomware spree coincides with the return of LockBit after similar disruption efforts led by the U.K. National Crime Agency (NCA) last week. According to a report from S.C. Magazine, threat actors breached Optum's network by leveraging the recently disclosed critical security flaws in ConnectWise's remote desktop and access software.

Censys, an attack surface management firm, has stated that it has observed no less than 3,400 exposed potentially vulnerable hosts online, with a majority of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland. Remote access software like remains a prime target for threat actors.

In addition to the above, ransomware groups like RansomHouse, Rhysida, and a Phobos variant called Backmydata have continued to compromise various organizations in the U.S., U.K., Europe, and the Middle East. These cybercrime groups are shifting to more nuanced and sophisticated tactics, such as selling direct network access via their blogs, Telegram channels, or data leak websites as a new monetization method.

Moreover, RansomHouse has developed a custom tool dubbed MrAgent to deploy the file-encrypting malware at scale. The tool is a binary designed to run on VMware ESXi hypervisors. It is intended to automate and track the deployment of ransomware across large environments with a high number of hypervisor systems.

Finally, the public release of a Linux-specific, C-based ransomware threat known as Kryptina has raised concerns. The threat surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator. The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems. It will likely increase the ransomware builder's attractiveness and usability, drawing more low-skilled participants to the cybercrime ecosystem.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.