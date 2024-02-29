



The US government is warning of a resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.

“Since mid-December 2023, among the nearly 70 victims disclosed, the health sector has been the victim most often,” the government said in an updated notice.

“This is likely a response to the message from the ALPHV/BlackCat administrator encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The alert comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of its dark leak sites. But the takedown proved to be a failure after the group managed to regain control of the sites and move to a new TOR data leak portal which remains active to this day.

It has also intensified its attacks on critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines and Optum, a subsidiary of UnitedHealth Group.

The development prompted the US government to announce financial rewards of up to $15 million for information leading to the identification of key members as well as affiliates of the cybercrime group.

The BlackCat ransomware wave coincides with the return of LockBit following similar disruption efforts led by the UK's National Crime Agency (NCA) last week. Zscaler ThreatLabz said the ransomware group updated its encryptor's ransom notes with TOR URLs pointing to the new infrastructure.

According to a report from SC Magazine, malicious actors breached Optum's network by exploiting recently revealed critical security vulnerabilities in ConnectWise's ScreenConnect desktop and remote access software.

BlackCat, however, denied using ConnectWise flaws in its attack on Optum. “For all those idiotic cyber intelligence experts, we didn't use the ConnectWise exploit as initial access, so you need to base your reports that you give to people on actual facts and not kid's speculation” , he said.

The flaws, which allow remote code execution on sensitive systems, have been used by ransomware gangs Black Basta and Bl00dy as well as other malicious actors to deliver Cobalt Strike, XWorm beacons and management tools remotely like Atera, Syncro and even another ScreenConnect client.

The massive exploitation of both vulnerabilities was also complemented by adversaries exploiting ScreenConnect and deploying a new Windows variant of KrustyLoader, which was previously spotted as part of a campaign targeting critical vulnerabilities in Ivanti Connect Secure appliances.

Attack surface management company Censys said that as of February 27, 2024, it observed as many as 3,400 potentially vulnerable ScreenConnect hosts exposed online, with the majority of them located in the United States, Canada , United Kingdom, Australia, Germany, France, India, Netherlands, Turkey and Ireland.

“It's clear that remote access software like ScreenConnect continues to be a prime target for threat actors,” said Himaja Motheram, security researcher at Censys.

These findings come as ransomware groups like RansomHouse, Rhysida, and a Phobos variant called Backmydata continue to compromise various organizations in the US, UK, Europe, and the Middle East.

In a sign that these cybercrime groups are moving toward more nuanced and sophisticated tactics, RansomHouse was discovered using a custom tool called MrAgent to deploy the file-encrypting malware on a large scale.

“MrAgent is a binary designed to run on [VMware ESXi] hypervisors, with the sole purpose of automating and tracking the deployment of ransomware in large environments with a high number of hypervisor systems,” Trellix said. Details of MrAgent were first revealed in September 2023.

Another important tactic adopted by some ransomware groups is selling direct network access as a new monetization method through their own blogs, on Telegram channels or on data leak websites, KELA said.

This also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.

“The release of RaaS source code, accompanied by comprehensive documentation, could have significant implications on the spread and impact of ransomware attacks against Linux systems,” said Jim Walter, researcher at SentinelOne.

“This is likely to increase the attractiveness and user-friendliness of the ransomware creator, attracting even more low-skilled participants into the cybercrime ecosystem. There is also a significant risk that this will lead to the development of multiple spinoffs and an increase in attacks.”

(The story was updated after publication to include additional information about the ConnectWise ScreenConnect exploit.)

