Alphv/BlackCat attacking hospitals following FBI takedown

The Alphv/BlackCat ransomware gang has aggressively targeted healthcare institutions such as hospitals since its takedown at the hands of the FBI late last year, according to a CISA advisory.

The U.S. Department of Justice announced on Dec. 19 a coordinated disruption effort against Alphv/BlackCat, a prolific ransomware as a service (RaaS) gang that has claimed responsibility for several high-profile attacks, such as the devastating one suffered by gaming giant MGM Resorts. The takedown operation was led by the FBI and featured collaboration with Europol as well as law enforcement agencies in nations such as Germany, Spain, the United Kingdom, Australia and others.

As part of the operation, the FBI -- with help from an informant -- seized multiple websites operated by the gang and developed a decryption tool.

But while the action disrupted the RaaS operation, the gang's activities have continued. On Tuesday, CISA published an advisory warning that since mid-December, the healthcare sector has been the most commonly victimized among Alphv/BlackCat's nearly 70 leaked victims. "This is likely in response to the ALPHV Blackcat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023," the advisory update read.

In addition to warning of the threat posed to healthcare organizations, the CISA advisory included new information about the gang's tactics and techniques. Alphv/BlackCat actors collect open source research on a target company and use "advanced social engineering techniques" to gain initial access, posing as IT support or help desk personnel through phone calls and text messages.

"After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration. ALPHV Blackcat affiliates create a user account, 'aadmin,' and use Kerberos token generation for domain access," CISA said.

TechTarget Editorial asked CISA if two widely targeted flaws in remote access software ConnectWise ScreenConnect, CVE-2024-1709 and CVE-2024-1708, were used in recent attacks. The agency has not provided commentary at press time.

The update follows a ransomware attack disclosed last week by healthcare payment software giant Change Healthcare -- an attack that has caused service disruptions to healthcare providers such as pharmacies across the U.S. Alphv/BlackCat on Wednesday listed Change Healthcare on its data leak site. In an accompanying post, the gang denied claims that it used recent ConnectWise ScreenConnect flaws and said it had obtained sensitive data for healthcare giants including CVS CareMark, MetLife, Medicare and others.

#Alphv has listed Change Healthcare, and denies have used #ConnectWise. #ransomware pic.twitter.com/Mr5dr1Km4o

— Brett Callow (@BrettCallow) February 28, 2024

Rafe Pilling, director of threat research for the counter threat unit at Secureworks, told TechTarget Editorial that current attacks are likely a response to Alphv/BlackCat saying it would target hospitals and critical infrastructure following the FBI disruption.

"The attacks we're seeing are likely a response to that incitement, with hospitals being easier targets, both to attack and to coerce, than other forms of critical infrastructure," Pilling said. "However, we have seen pushback in underground forums against threat actors trying to sell access to hospitals and healthcare facilities, so while BlackCat's moral compass may be firmly broken, others do not agree with their position."

Paul Dant, senior director of cybersecurity strategy and research at security vendor Illumio, echoed Pilling's comments about hospitals being easy targets.

"Hospitals tend to have extremely flat networks. They run old software that can't be patched without serious disruption," Dant told TechTarget Editorial in an email. "They tend to have very limited IT/security budgets, which means they're lacking manpower and skills. And shared accounts on systems are (still) a big thing in hospitals, making compromise and subsequent lateral movement easy."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.