Last Week in Ransomware: 03.11.2024

Written by
Halcyon Team
Published on
Mar 11, 2024

Last week in ransomware news we saw the FBI alert on Phobos attacks, BlackCat/ALPHV gets a $22 payday, and Lurie Children's Hospital data sold on the black market...

Phobos Targets U.S. Critical Infrastructure

The FBI, in collaboration with CISA and MS-ISAC, has issued a joint advisory alerting about the increasing threat posed by Phobos ransomware targeting critical infrastructure and government entities across the United States.

The advisory highlights the significant financial impact of these attacks, with Phobos operators successfully extorting several million dollars from various sectors, including municipal services, emergency response, education, public healthcare, and critical infrastructure.

The advisory provides detailed insights into the modus operandi of Phobos ransomware attacks, outlining various tactics, techniques, and procedures (TTPs) employed by the threat actors. These include initial infection vectors, credential theft, privilege escalation, lateral movement within networks, data exfiltration, and the destruction of network backups.

A notable aspect of Phobos attacks is the utilization of data exfiltration as a central strategy, increasing the likelihood of successful extortion. The tactic of double extortion, where sensitive data is exfiltrated before encryption and used as leverage for additional ransom demands, has become prevalent among ransomware operators. This evolution in extortion tactics complicates the traditional approach of restoring from backups or accepting data loss as an outcome.

Furthermore, Phobos operators employ sophisticated methods to hinder recovery efforts, such as using legitimate network tools to delete backup files and prevent victims from restoring their systems. Despite claims of rollback features by some security vendors, the reality is that restoring from shadow copies can be challenging, especially when backups are targeted and deleted during the attack.

To effectively combat Phobos and similar ransomware threats, early detection of precursor activities is crucial. Detecting signs of credential brute-forcing, data exfiltration attempts, and other early-stage TTPs can enable organizations to intervene before the ransomware payload is deployed, thereby minimizing the impact and disruption caused by these attacks.

The advisory underscores the urgent need for enhanced cybersecurity measures to protect critical infrastructure and government services from the growing menace of ransomware attacks. Timely detection, mitigation of precursor activities, and robust backup strategies are essential components of resilience against evolving ransomware threats like Phobos.


BlackCat/ALPHV $22 Million Payday

The recent ransomware attack on Change Healthcare, the largest healthcare payment processor in the US, has garnered attention due to a $22 million Bitcoin transaction potentially linked to the BlackCat/ALPHV ransomware gang. This attack, which disrupted the distribution of prescription drugs nationwide, has been described as one of the most serious incidents targeting a US healthcare organization.

The transaction, detected on March 1, involved 350 bitcoins transferred to an ALPHV-controlled address, suggesting a substantial ransom payment. An affiliate of ALPHV later confirmed the payment on a cybercriminal forum, alleging that they had been cheated out of their share, citing the Bitcoin transaction as evidence.

Although Change Healthcare has not directly confirmed paying the ransom, their focus remains on the investigation. The incident underscores the lucrative nature of ransomware attacks, with each payment emboldening attackers to strike again.

While law enforcement and experts advise against paying ransoms to discourage further attacks, the situation becomes complex for organizations like healthcare providers. The urgency of restoring systems to avoid risks to human life complicates the decision-making process.

Ransomware attacks on healthcare providers not only disrupt operations but also potentially lead to negative patient outcomes. However, paying ransoms fuels the cycle of attacks, posing long-term risks to patient safety.

Despite the urgency of the situation, the root cause of the problem lies in the vulnerability of systems to attacks. Preventing successful attacks would render the ransom payment debate irrelevant.

The healthcare sector faces significant challenges in balancing financial considerations with patient safety amidst ransomware attacks. Addressing systemic vulnerabilities and adopting robust cybersecurity measures are essential to mitigate the risk posed by ransomware threats.

Additionally, a more comprehensive response from government authorities is necessary to safeguard critical infrastructure providers like healthcare organizations from such attacks.


BlackCat/ALPHV Exit Scam

The ALPHV/BlackCat ransomware gang has allegedly shut down its operations and taken servers offline, sparking accusations of an exit scam that deprived affiliate attackers of their share of a purported $22 million ransom from Change Healthcare. The shutdown of negotiation sites indicates a deliberate move to dismantle the gang's infrastructure.

The possibility of an exit scam comes amid reports of law enforcement pressure on the group, including website outages and a $15 million bounty for information leading to the operators. Despite initial setbacks, the gang resurfaced and claimed responsibility for various attacks, culminating in the Change Healthcare incident.

The $22 million Bitcoin transaction linked to the Change Healthcare attack has raised suspicions that the gang may have profited substantially. The potential exit scam suggests an attempt by the platform operators to abscond with the ransom funds, leaving affiliates empty-handed.

Ransomware operates as a business model, resembling legitimate SaaS companies, with RaaS platforms providing tools and support to affiliate attackers. The breakdown of trust resulting from the alleged exit scam could have far-reaching implications, affecting not only affiliates but also other RaaS providers.

High-profile exit scams like this may undermine victim confidence and contribute to the demise of the RaaS model. While the debate over banning ransom payments continues, the breakdown of trust within the ransomware ecosystem could ultimately reduce the pool of potential attackers, albeit not eliminating ransomware threats entirely.


Lurie Children’s Hospital Data Sold

The Rhysida ransomware gang has reportedly sold sensitive data stolen from Lurie Children's Hospital in Chicago for $3.4 million after a February attack.

Lurie Children's, a prominent pediatric healthcare provider in the US Midwest, treats hundreds of thousands of sick children annually, specializing in childhood cancer and blood disorders. The attack caused significant disruptions to the hospital's systems, leading to delays in treating life-threatening illnesses.

Despite the severity of the attack and its implications for patient care, ransomware threats against healthcare systems are not receiving the attention they deserve. Criminal groups exploit the urgency of patient care to demand exorbitant ransoms, putting pressure on organizations to pay up or risk further delays in treatment.

Recent incidents, such as the $22 million ransomware attack on Change Healthcare, the largest healthcare payment processor in the US, highlight the growing impact of ransomware on patient care. American Hospital Association CEO Rick Pollack described the attack as one of the most serious incidents targeting a US healthcare organization, emphasizing the need for urgent action.

Studies have shown a direct correlation between ransomware attacks and increased patient mortality, with disruptions to patient care and data exfiltration exacerbating complications in medical procedures. Incidents like the Prospect Medical Holdings attack, which forced emergency room suspensions and ambulance diversions, underscore the severity of the situation.

Despite the clear threat posed by ransomware attacks on healthcare providers, current response measures have proven inadequate. Legal actions against attackers often fail to deter future attacks, leaving healthcare systems vulnerable to repeated incidents.

Addressing ransomware threats in the healthcare sector requires a comprehensive approach that goes beyond law enforcement's traditional role. Designating healthcare providers as critical infrastructure and implementing offensive measures could strengthen collective response efforts and deter future attacks.

The current approach to combating ransomware attacks has been ineffective, allowing attackers to operate with impunity. To safeguard national security and protect patient care, urgent action is needed to enhance response options and mitigate the growing threat of ransomware in the healthcare sector.

READ MORE HERE is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.