Last Week in Ransomware: 05.06.2024

Last week in ransomware news we saw State AG’s Scold UnitedHealth Group CEO, Coffee County disconnect from voter system, and FBI/CISA issue Alert on Akira ransomware...

UnitedHealth Under Legal Scrutiny

Nearly two-dozen state Attorneys General have jointly addressed the CEO of UnitedHealth Group, expressing grave concerns in the aftermath of a ransomware attack on its subsidiary, Change Healthcare, which transpired in February.  

The letter, signed by 22 Attorneys General from various states, criticizes UnitedHealth Group's response to the attack, emphasizing the need for more substantial measures to prevent further harm to the healthcare infrastructure and the patients dependent on it.

The letter details catastrophic disruptions reported by healthcare providers, pharmacies, and patients, attributing them to Change Healthcare's inadequate responses following the cyberattack.  

It highlights the jeopardy faced by healthcare entities and pharmacies within their jurisdictions, with patients experiencing disruptions in care and access to prescription drugs due to the failures of Change Healthcare.

Moreover, the Attorneys General critiqued both Change Healthcare's and UnitedHealth Group's responses to the crisis, labeling them as insufficient.  

They point out the inability of care providers to obtain timely information about breached data, ongoing cyber vulnerabilities, and the lack of support without unreasonable conditions. The letter underscores the dire consequences of the attack and urges immediate action to mitigate its effects.

The incident underscores the growing threat of ransomware attacks targeting healthcare organizations and the escalating regulatory and legal repercussions faced by company executives and boards of directors.  

The aftermath of such attacks could result in class action lawsuits, punitive regulatory actions, criminal prosecutions, and potential jail time for leadership, particularly if sensitive or regulated data is compromised.

Furthermore, the incident highlights the challenges faced by organizations in defending against ransomware attacks and navigating the punitive legal and regulatory landscape.  

It underscores the importance of material knowledge before, during, and after a security event for company officers, who may face legal or regulatory jeopardy.

With UnitedHealth Group dedicating substantial resources for ransomware attack recovery efforts, including a significant expenditure in Q1-2024 alone, the incident serves as a harbinger for increased scrutiny from regulatory bodies and shareholders, potentially leading to accountability demands from the SEC and shareholders.

READ MORE HERE

Ransomware Forces Coffee County Georgia Offline

Coffee County in Georgia took precautionary measures by disconnecting from the state's voter registration system, GARViS, following a ransomware attack reported in mid-April, prompted by a notification from the Cybersecurity and Infrastructure Security Agency (CISA).  

While there was no evidence of hackers infiltrating GARViS, the county severed its connection to the system as a preventive step. Despite being disconnected for several days, Coffee County has since restored access to GARViS using backup laptops and isolated cellular networks.

The incident highlights the multifaceted nature of ransomware attacks, which not only serve financial motives for cybercriminals but may also advance broader geopolitical agendas, favoring the interests of adversarial nations like Russia, China, Iran, and North Korea.  

Recent FBI disclosures uncovered a Chinese hacking campaign, Volt Typhoon, targeting various critical infrastructure sectors in the United States. However, Chinese officials denied government involvement, attributing the attacks to criminal ransomware groups.

The lack of distinction between cybercriminal acts and threats to national security enables attackers to exploit plausible deniability, hindering effective response measures.  

Advocates emphasize the importance of classifying certain attacks targeting critical infrastructure, healthcare, utilities, and elections as national security threats, offering broader response options, including offensive cyber capabilities and kinetic actions.

Implementing real consequences not only for ransomware operators but also for nation-states providing safe harbor or influencing attackers' targeting choices is deemed essential to deter future attacks and address geopolitical advantages gained through cyber operations.  

Without tangible repercussions, attackers will persist with impunity, exacerbating the severity of attacks while adversaries exploit geopolitical advantages under the guise of plausible deniability.

READ MORE HERE

Updated Akira Alert Issued by CISA and FBI

The FBI, CISA, Europol's EC3, and the Netherlands' NCSC-NL issued a joint alert concerning the Akira ransomware, detailing its impact on businesses and critical infrastructure across North America, Europe, and Australia since March 2023.  

As of January 1, 2024, Akira has affected over 250 organizations and accrued approximately $42 million in ransom proceeds. The agencies urge organizations to implement mitigation measures outlined in the alert to reduce the risk and severity of ransomware incidents.

Emerging in 2023, Akira is associated with the Conti gang, evidenced by similar tactics, although this connection is challenging to confirm due to the Conti code leak in 2022.  

Despite being relatively new, Akira is notably active and engages in double extortion by exfiltrating data for potential exposure or sale, in addition to encrypting files.

Akira's ransom negotiation platform includes a chat feature, and the group provides information on infection vectors to paid victims, deviating from typical ransomware practices.  

Operating a Ransomware-as-a-Service (RaaS) platform written in C++, Akira targets both Windows and Linux systems, often exploiting VPN credentials. Akira initially targeted Windows systems but later deployed a Linux variant to attack VMware ESXi virtual machines in April 2023.

The ransomware deletes Windows Shadow Volume Copies, encrypts various file types while avoiding system files, and abuses legitimate tools like PCHunter64 for evasion.  

It has also exploited vulnerabilities in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, as well as VMware ESXi, for lateral movement.

Akira's attack volume is growing steadily, with ransom demands ranging from $200,000 to over $4 million. The healthcare sector is a primary target, though Akira has also attacked organizations in education, finance, and manufacturing.  

Notable victims include Nissan, Royal College of Physicians and Surgeons, and QuadraNet Enterprises, among others.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.