FBI, CISA, HHS warn of targeted ALPHV/Blackcat ransomware attacks against the healthcare sector

The FBI, CISA, and the Department of HHS warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks.

A cybersecurity alert published by the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted attacks conducted by ALPHV/Blackcat ransomware attacks.

The US agencies released a report containing IOCs and TTPs associated with the ALPHV Blackcat RaaS operation identified through law enforcement investigations conducted as recently as February 2024.

The advisory updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released on April 19, 2022 and on December 19, 2023.

This alert aims at organizations in the healthcare sector because ALPHV Blackcat affiliates have been observed primarily targeting this sector.

“From mid-December 2023 onward, the healthcare sector has emerged as the most frequently targeted among the approximately 70 disclosed victims.” reads the joint advisory. “This trend is believed to be a response to the encouragement from ALPHV Blackcat administrators, who urged affiliates to focus their efforts on hospitals following operational actions against the group and its infrastructure in early December 2023.”

Government experts believe that the increase in targeted attacks against the healthcare sector is the response of the group to law enforcement actions against the Blackcat group in early December 2023.

FBI, CISA, and HHS urge critical infrastructure organizations to implement the suggestions outlined in the Mitigations section of the report.

In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which supports additional features and implements improved defense evasion capabilities. The new encryptor allows to target both Windows and Linux devices, as well as VMWare instances.

The report includes Indicators of Compromise (IoCs) along with mitigation and incident response guidances.

Recently, the U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.

This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.

The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.  

The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.

“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”

According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the SwissportNCR, and Western Digital. The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

In a recent ALPHV/Blackcat ransomware attack, the group hit the UnitedHealth Group subsidiary Optum leading to an outage impacting the Change Healthcare payment exchange platform.

Optum Solutions is a subsidiary of UnitedHealth Group, a leading health insurance company in the United States. Optum Solutions operates the Change Healthcare platform, which serves as a critical payment exchange platform for the US healthcare system.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ALPHV/Blackcat ransomware)