Last Week in Ransomware: 04.15.2024

Written by
Halcyon Team
Published on
Apr 15, 2024

Last week in ransomware news we saw RansomHub extorting Change Healthcare, security legislation proposed for healthcare sector, and ransomware response plans only as good as their execution...

Legislation and Regulatory Actions on Healthcare Security

Senator Mark Warner has proposed the Health Care Cybersecurity Improvement Act, aiming to enforce minimum cybersecurity standards for healthcare providers and their technology vendors.  

The legislation, part of ongoing efforts to address the rising threat of ransomware attacks in the healthcare sector, would mandate compliance with cybersecurity best practices to qualify for emergency funds from the Centers for Medicare and Medicaid Services (CMS).  

Alongside Senator Bill Cassidy and others, Warner has been instrumental in pushing for legislative action following a surge in ransomware incidents affecting healthcare providers.

The proposal comes amidst alarming statistics revealing over 500 successful ransomware attacks on healthcare providers in recent years, impacting nearly 10,000 organizations and exposing over 52 million patient records.  

These attacks not only pose significant financial losses estimated in the tens of billions but also jeopardize patient care and safety. Studies have shown disruptions in patient care, increased mortality rates, and complications in medical procedures following ransomware attacks.  

Additionally, ransomware incidents have been linked to patient deaths, indicating a direct risk to human life. The proposed legislation seeks to mitigate the devastating impact of ransomware attacks on healthcare systems, emphasizing the urgent need for robust cybersecurity measures.

The Department of Health and Human Services (HHS) is proposing some rule changes as well, including updates to HIPAA rules and cybersecurity standards for Medicare and Medicaid participation, the Health Care Cybersecurity Improvement Act represents a crucial step towards safeguarding healthcare infrastructure and patient data from cyber threats.

In two recent episodes of the Last Month in Security Podcast, we dug into the onslaught of ransomware attacks targeting the Healthcare sector and how it impacts not just operations but patient outcomes as well as the disruptive ransomware attack on Change Healthcare.

The panel considers whether attacks on healthcare and other critical infrastructure providers could rise to the level of terrorism, and whether a terrorism designation would give us more tools to work beyond the civilian criminal justice system in combatting these attacks. Check it out...


Change Healthcare Extorted Again

RansomHub, a new threat actor on the cybercrime scene, has emerged, claiming possession of data stolen from Change Healthcare, a major player in US healthcare payment processing.  

This comes after allegations that Change Healthcare paid a $22 million ransom to the BlackCat/ALPHV ransomware gang, based on a significant Bitcoin transaction.  

However, BlackCat/ALPHV is accused of defrauding their affiliates, casting doubt on the legitimacy of the payment. Now, RansomHub is attempting to extort Change Healthcare, adding another layer of complexity to the situation.

The incident underscores the risks associated with paying ransoms to cybercriminals. While it might appear as a quick solution, it often exacerbates the problem by fueling further attacks and enriching criminal enterprises.  

Moreover, there's no guarantee that paying the ransom will result in the recovery of data or prevent future attacks. Ransomware operations function akin to legitimate businesses, with sophisticated structures and services, making them formidable adversaries.

The debate over whether to pay ransoms remains contentious. Some argue for payment as a pragmatic response, while others advocate for resilience-building measures to mitigate the impact of attacks.  


Ransomware: Planning is not the Same as Preparedness

The response to a ransomware attack can determine the fate of a business, as highlighted by a recent incident where a victim company's handling of the situation was less than ideal.  

When faced with a ransom demand and the threat of data exposure, the organization failed to execute its incident response and business continuity plan effectively.  

Instead of promptly engaging in negotiations, they put the attackers on hold multiple times, leading to a bizarre and ultimately unproductive dialogue that was later posted online by the attackers.

This incident underscores the importance of not just having a plan but also executing it efficiently. Ransomware attacks can cripple businesses, disrupting daily operations, causing financial losses, and tarnishing reputations.  

The threat of data exposure adds another layer of complexity, as sensitive information becomes leverage for attackers. Beyond immediate disruptions, businesses may face legal and regulatory consequences due to data breaches, potentially leading to fines and lawsuits.

To mitigate the impact of ransomware attacks, organizations must prioritize robust cybersecurity measures. This includes patch management, data backups, access control, employee awareness training, and regular testing of incident response procedures.  

However, having these measures in place is not enough; they must be effectively communicated to all stakeholders, with clear roles and responsibilities outlined.  

Leadership should foster open communication between departments and continuously assess the effectiveness of incident response plans. Ultimately, preparedness is key.  

Organizations must ensure that all employees understand potential threats and their roles in responding to them. By integrating security into daily operations and fostering a culture of shared responsibility, businesses can better protect themselves against the growing menace of ransomware attacks.


More Focus Needs to be Paid to Data Exfiltration

A recent ransomware attack targeting Group Health Cooperative of South-Central Wisconsin (GHC-SCW), a healthcare service provider, resulted in the exfiltration of private health information (PHI) belonging to over 533,000 individuals.  

Despite the attackers' unsuccessful attempt to encrypt GHC-SCW's network, sensitive data including names, addresses, social security numbers, and Medicare/Medicaid numbers were compromised.  

The attackers, identified as a foreign ransomware gang, notified GHC-SCW of the breach after stealing the data. Beyond the immediate operational disruptions, the incident poses significant legal and regulatory liabilities for GHC-SCW, potentially leading to regulatory fines and class action lawsuits.

This incident underscores the evolving tactics of ransomware operators, who increasingly prioritize data exfiltration to extort victims. The threat of publishing or selling stolen data intensifies the financial and reputational risks for organizations.  

While traditional ransomware attacks focused on encrypting files, modern attacks involve the theft of sensitive data, complicating recovery efforts and exposing victims to further exploitation. Early detection of attacks is crucial in mitigating the impact, as ransomware payloads are often delivered late in the attack sequence.

The incident highlights the importance of regulatory compliance and prompt reporting of data breaches to mitigate legal liabilities. Organizations must prioritize robust cybersecurity measures, including early threat detection, data protection, and incident response planning.  

By understanding the evolving tactics of ransomware operators and implementing proactive security measures, organizations can better protect themselves from the growing threat of ransomware attacks and mitigate the potential consequences of data breaches.

READ MORE HERE is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.