Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News
Risk & Compliance
Vulnerabilities

LockBit, Conti, SunCrypt, ALPHV/BlackCat, Hive emerge as key RaaS groups targeting healthcare and public health sector

May 06, 2022
LockBit, Conti, SunCrypt, ALPHV/BlackCat, Hive emerge as key RaaS groups targeting healthcare and public health sector

The U.S. Department of Health and Human Services (HHS) announced this week the ransomware trends observed in the healthcare and public health sector during the first quarter of this year. It also provided details on the notable ransomware techniques observed, detections for notable techniques observed with MITRE ATT&CK framework, along with appropriate mitigations and takeaways.

LockBit, Conti, SunCrypt, ALPHV/BlackCat, and Hive were among the top five ransomware as a service (RaaS) groups impacting the healthcare and public health sector during the initial three months of this year. In February, the HHS said that it had received reports of data breaches from 578 healthcare organizations in 2021, impacting over 41.45 million individuals.

The HHS said that LockBit released a statement that they will not take a side in Russia’s invasion of Ukraine – just business, while Conti stated that they will side with Russia amidst invasion of Ukraine with Karakurt identified as the data extortion arm of Conti. Additionally, SunCrypt gained new capabilities in 2022, although it seems like the ransomware is still under development. The ALPHV/BlackCat/Noberus ransomware linked to BlackMatter, DarkSide; BlackCat speeds up encryption process, while the Nokoyawa ransomware possibly related to Hive, Karma/Nemty, the agency added.

The HHS also said that the financially-motivated groups shifting to ransomware operations included the FIN7 and the FIN12. In the case of the FIN7, the shift began at the end of 2021 and into 2022, as ransomware variants used in connection with the group’s operations include Maze and Ryuk, and ALPHV/BlackCat.

“In April 2022, ransomware attacks conducted by FIN12 could reportedly be achieved in less than two days, compared to the previous timeframe of five days when the group was first identified,” the HHS said. “FIN12 has specifically targeted the healthcare industry; FIN12 leveraged Ryuk, Beacon, SystemBC, and Metasploit to carry out some of the most prolific intrusions seen throughout 2021,” it added. 

Additionally, Mandiant Intelligence had last October revealed details on the FIN12 group, with almost 20 percent of observed victims in the healthcare industry and several of these organizations operating healthcare facilities.

Ransomware groups also increasingly leverage legitimate tools during ransomware intrusions, HHS said. Some of the remote access tools identified included AnyDesk, Windows Safe Mode, Atera, ScreenConnect and ManageEngine, while the encryption tools covered Microsoft’s BitLocker, Jetico’sBestCrypt, and DiskCryptor. The open-source tools involved Cobalt Strike, Mimikatz, AdFind, Process Hacker, and MegaSync, the agency added.

The HHS also identified initial access broker (IAB) trends, which are known to sell network access to ransomware groups and affiliates. 

“HC3 has observed that threat actors selling network access to HPH entities worldwide on various cybercriminal forums during Q1 2022 compared to all of 2021 remains somewhat consistent,” the agency said. “More than half of forum advertisements were for general VPN/RDP access to HPH entities. About one-fourth of threat activity involved selling alleged access to compromised Citrix VPN appliances,” it added.

The COVID-19 pandemic drove organizations to accelerate adoption of remote access and cloud applications, often without implementing basic security features, the HHS said. “IABs enable RaaS groups to focus time and energy on developing payloads and coordinating operations with affiliates,” it added.

Among a host of mitigation measures announced, the HHS called upon the healthcare and public health sector to consider using the host firewall to restrict file sharing communications, adoption of network intrusion detection and prevention systems that use network signatures, and usage of multi-factor authentication for user and privileged accounts. 

The agency also recommended configuration of access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts, and deployment of network segmentation for sensitive domains. It also advised protecting domain controllers by ensuring proper security configuration for critical servers.

Earlier this week, the Healthcare and Public Health Sector Coordinating Council (HSCC) released a checklist that provides the healthcare sector with a flexible template for operational staff and executive management to refer to when responding to extended outages brought on by cyberattacks. The document comes after the March release of a ‘Model Contract Language’ by the HSCC that provides a reference for shared cooperation and coordination between healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs).

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation