LockBit, Alphv/BlackCat highlight February ransomware activity

February was a busy month for ransomware activity, defined by large-scale threat campaigns as well as the takedown -- and comeback -- of one of the world's most prolific gangs.

February marked a continuing reversal of 2022's decline in ransomware activity. This ongoing reversal was encapsulated by an early February report from blockchain analytics firm Chainalysis. The company called 2023 a "watershed year" for ransomware and said ransomware payments reached $1.1 billion last year. 2023 also showed an expansion of ransomware as a service and big-game attacks.

Perhaps the most significant development last month was the short-lived takedown against the LockBit ransomware group, a gang that U.S. Attorney General Merrick Garland said was responsible for more than 2,000 victims and $120 million in extortion payments.

The international operation, named Operation Cronos and led by the U.K.'s National Crime Agency (NCA), was announced on Feb. 20. Law enforcement agencies arrested two suspected operators in Poland and Ukraine and seized LockBit infrastructure, including 28 servers in three countries, as well as the gang's data leak site and other websites.

Although the takedown appeared at the time to have partially dismantled LockBit, the group restored its servers and websites four days later. In a lengthy post published the same day, a LockBit administrator blamed the FBI for the hack and said the gang was targeted because it had obtained sensitive information regarding former U.S. President Donald Trump in its recent attack against Fulton County, Ga. Authorities in the county are currently pursuing criminal charges against Trump and multiple other co-defendants for allegedly trying to subvert the 2020 U.S. presidential election.

Despite LockBit's quick comeback, law enforcement might still see the operation as a success, given the fact that the NCA said it had obtained LockBit source code, "a vast amount of intelligence" and more than 1,000 ransomware decryption keys to help victims. The FBI said as much to TechTarget Editorial in a statement last week. "The opportunity to offer over a thousand victims the ability to decrypt their networks is our focus and we will continue to provide assistance to those who have been impacted," an FBI spokesperson said.

Other officials and security experts have also pointed to the operation as being irreparably harmful to the ransomware-as-a-service gang's reputation within the cybercriminal community.

In other takedown-related news, CISA said in an advisory last week that the Alphv/BlackCat ransomware gang was more aggressively targeting hospitals following the takedown it suffered at the hands of the FBI and other international law enforcement agencies, which the U.S. Department of Justice announced in December. CISA warned in its new advisory that since mid-December, the healthcare sector has been the most victimized among Alphv/BlackCat's nearly 70 attacks published on its data leak site.

CISA said the increase in healthcare focus is "likely in response to the ALPHV Blackcat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023."

One attack Alphv/BlackCat took credit for was against healthcare payment software giant Change Healthcare; the gang listed the company on its data leak site last Wednesday. As a result of the attack, which the company is still reeling from, healthcare organizations such as pharmacies have been experiencing significant disruptions.

The ransomware gang denied claims that it used recent ConnectWise ScreenConnect flaws in the attack on Change Healthcare. In mid-February, experts sounded the alarms on two flaws affecting ConnectWise's remote software product ScreenConnect, tracked as CVE-2024-1709 and CVE-2024-1708. Reported to ConnectWise on Feb. 13, CVE-2024-1709 is a critical authentication bypass vulnerability that was designated a 10 CVSS score -- the highest severity possible. CVE-2024-1708, meanwhile, is a path traversal flaw with a CVSS score of 8.4.

Whether Alphv/BlackCat's denial is true or not, other ransomware actors have used said flaws. ConnectWise confirmed evidence of exploitation on Feb. 20, one day after the initial public disclosure.

"We received updates of compromised accounts that our incident response team have been able to investigate and confirm," the advisory read. The advisory has since removed the word confirm, though the company continues to acknowledge that threat actors are targeting the flaws.

Security vendors have since connected threat activity to ransomware gangs. Sophos X-Ops said the aforementioned LockBit group was targeting the vulnerabilities. Trend Micro, meanwhile, connected some activity to ransomware groups including Black Basta and Bl00dy. As part of related threat activity, gangs used malicious payloads and commands as well as tools such as PowerShell and Cobalt Strike to gain a foothold in victim environments.

Trend Micro researchers on Feb. 27 said immediate patching is not only advisable, but "a critical security requirement to protect your systems from these identified threats."

Alphv/BlackCat wasn't the only ransomware gang to attack healthcare targets in February. The Rhysida gang, which was first observed last year, claimed responsibility for a debilitating attack on Lurie Children's Hospital in Chicago last month. The attack disrupted services at the hospital, and Rhysida operators are looking to sell stolen healthcare data for about $3.4 million, according to a report from The Record.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.