The ALPHV, also known as the Blackcat ransomware gang, is targeting US healthcare systems, according to a joint cybersecurity advisory by the FBI, CISA, and the Department of Health and Human Services (SSH).
The advisory, which was published as part of the #StopRansomware effort that publishes advisories against various ransomware variants and actors, also detailed new TTPs the group has been implementing since its return from a global law enforcement takedown in Dec 2023.
Retooling with improved infection and evasion
BlackCat, also tracked as Noberus, is a Russia-based threat actor group that primarily operates a ransomware-as-a-service (RaaS) model written in the Rust programming language. The group first surfaced in Nov 2021 as a possible rebranding of Darkside, the ransomware actor responsible for the Aug 2020 cyberattack on Georgia-based Colonial Pipeline.
The gang, known to use social engineering techniques and open source research on a company to gain initial access, is likely using the actively exploited, critical ScreenConnect authentication bypass vulnerability as a new infection method, the advisoryâs indicators of compromise (IOCs) confirm.
âAfter gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration,â the advisory said. âALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. (They) also use the open-source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies.â
After a coordinated takedown by authorities in Dec 2023, which allowed the FBI to develop a decryptor and offer 500 BlackCat victims to restore their systems, the group quickly regained access to seized servers and sites and shifted operations to a new Tor leak site.
Days after the seizure, the gang has already spun out an update to its RaaS with improved encryption and evasion features. âIn February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling,â the advisory said. âThis ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances.â
Healthcare most targeted
According to the advisory, the group has changed tactics and now mostly targets the US healthcare systems.
âSince mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,â said the advisory.
âThis is likely in response to the ALPHV Blackcat administratorâs post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.â
BlackCat is reportedly responsible for the massive Change Healthcare cyberattack on Tuesday, 21st Feb that has sent the UnitedHealth-owned business into a major IT shutdown, causing a significant pharmaceutical billing outage. On the same day, US pharmaceutical giant Cencora ( formerly AmerisourceBergen) independently reported an attack on its IT systems in an SEC filing, adding that it did not have any âmaterial impact on the Companyâs operations.â
Previously in January, BlackCat was attributed for an attack on NextGen Healthcare systems which allegedly had a ransom ask of $1.5 million. The group has yet to claim any of these attacks although it did, reportedly, momentarily list hacked data from the NextGen attack on its leak site before removing it entirely.
On the first sign of a compromise, the advisory recommends, that organizations should quarantine and re-image potentially affected hosts, provision new account credentials, and collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Additionally, the advisory shared some mitigation and validation techniques to stay ahead of the threat actors.Â