Category: BlackCat

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Image: Tamer Tuncay, Shutterstock.com.

A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.

In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”

A notification letter from Change Healthcare said the breach involved the theft of:

-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.

Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.

That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.

A breach notification from Change Healthcare.

A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”

It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI did not respond to a request for comment.

Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”

But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.

Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.

According to the HIPAA Journal, the biggest penalty imposed to date for a HIPPA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.

A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.

There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.

The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.

All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.

If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.

APT29 moves from Government infrastructure towards Cloud Service Providers

APT29, also known as Midnight Blizard or Cozy Bear and associated with Russian Intelligence, appears to have altered its approach from targeting government infrastructure to focusing on cloud service providers. This strategic shift is driven by the increased challenges posed by law enforcement efforts against infiltrations into government systems. Cloud services offer a more lucrative avenue for malicious actors, as compromising them can have far-reaching consequences, such as impacting global supply chains, as seen in incidents like SolarWinds and the recent MoveIT File transfer software breach.

BlackCat Claims Responsibility for Pharmacy Prescription Delays

Following a recent disruption to Change Health’s IT infrastructure, resulting in halted prescription deliveries to numerous pharmacies, the ransomware gang BlackCat, also known as ALPHV, has asserted control over the servers of both Change Health and United Health’s Optum subsidiary. They are demanding $13 million in exchange for decrypting the compromised data. Mandiant, the cybersecurity arm of Google’s parent company Alphabet Inc., has been engaged to investigate the breach and assist the affected pharmaceutical companies in resolving the situation.

Cyber Attack on the Royal Canadian Mounted Police

The Royal Canadian Mounted Police (RCMP) has confirmed an ongoing investigation into a cyber incident affecting its computer network, resulting in the RCMP website being inaccessible for the past 24 hours with an HTTP 404 error message. Visitors to the site are being redirected to a nonexistent webpage, indicating a potential cyber-attack rather than a technical error, as initially suspected.

Germany ThyssenKrupp falls prey to a ransomware attack

ThyssenKrupp, a German steel producing company, has reported a ransomware attack targeting its Automotive division at the onset of last week. This breach has disrupted automotive chassis production to some extent, with the full extent of the damage yet to be determined. While investigations are ongoing, suspicions point towards a ransomware-based cyber-attack as the cause of the breach.

Google’s AI Cyber Defense Gains Momentum

Numerous Fortune 500 companies have expressed interest in Google’s latest AI Cyber Defense initiative, aimed at revolutionizing the cybersecurity landscape through the integration of artificial intelligence. This initiative seeks to address the Defender’s Dilemma by proactively enhancing security postures in alignment with evolving threats. Reports indicate that out of 70 prospects, 35 have shown interest in Google’s initiative, with an additional 13 expected to follow suit by May of this year.

The post Trending Cyber Attack news headlines on Google appeared first on Cybersecurity Insiders.

The Department of State, in its ongoing efforts to combat cybercrime, has announced a $10 million reward for information leading to the apprehension of ALPHV, also known as the Blackcat Ransomware Gang. This significant bounty underscores the severity of the threat posed by such criminal organizations.

In addition to targeting the leaders of the Blackcat Gang, the Department of State is prepared to offer rewards for information regarding their affiliates, access brokers, and other associates. These rewards are part of the US Transnational Organized Crime Rewards Program, which has disbursed over $135 million since its inception in 1986 to combat various forms of criminal activity, including cybercrime, narcotics trafficking, and child exploitation.

The decision to announce this reward comes in the wake of findings by the FBI linking the Blackcat Gang to more than 60 data breaches worldwide. These breaches involve the theft of sensitive information from servers, which is then encrypted by the hackers until a ransom in cryptocurrency is paid. It is estimated that the gang may have collected as much as $300 million in ransom payments from over 1,000 victims between December 2022 and September of the following year, with projections indicating a potential doubling of these figures in the current year.

Despite the efforts of law enforcement agencies, apprehending such criminals presents significant challenges. Many operate from foreign jurisdictions, utilizing virtual private networks (VPNs) to conceal their online activities. Even when their whereabouts are identified, legal barriers in their home countries often impede extradition efforts.

Russia, for instance, has offered limited cooperation with American cybercrime investigators, with instances of disavowal being more common. Similarly, countries like China, North Korea, and Iran typically refrain from supporting international law enforcement efforts, exacerbating the difficulty of apprehending cybercriminals.

Furthermore, these criminal enterprises not only pose a direct threat through their cyber-attacks but also contribute to the funding of illicit activities, including nuclear proliferation efforts. The example of North Korean leader Kim Jong Un’s regime highlights the intersection of cybercrime and geopolitical instability, underscoring the urgent need for international cooperation in combating this growing threat to global security.

The post US State Department offers $10m reward on leads on ALPHV aka Blackcat ransomware appeared first on Cybersecurity Insiders.

In 2023, the BlackCat, also known as ALPHV ransomware group, achieved remarkable success by nearly accumulating $700 million through the encryption of databases. Among its victims were three Fortune 500 companies, numerous financial institutions, and businesses in the hospitality sector, including MGM Resorts International, Tipalti, MeridianLink, Fidelity National Finance, Air Comm Corp, Fu Yu Corp, and Seiko.

For those seeking effective strategies to intelligently mitigate the risks associated with the BlackCat ransomware, here are key takeaways:

Employee Training: Investing in employee training is crucial for enhancing their ability to defend against phishing attempts and other social engineering threats, which often serve as entry points for file-encrypting malware.

Layered Security Approach: Implementing a comprehensive layered security approach involves deploying network security, application security tools, data encryption at rest and in motion, and endpoint protection in IT environments. This multi-faceted approach helps fortify defenses against such attacks.

Zero Trust Framework: Deploying a zero-trust environment enables organizations to closely monitor every user and device connecting to the network, allowing access only to authenticated users and enhancing overall security.

Network Testing: Regularly conducting penetration tests is vital for detecting anomalies in the network that could be exploited by ALPHV criminals. Identifying vulnerabilities proactively is key to preventing potential breaches.

Incident Response Plan: Establishing an incident response team or, at the very least, having a well-defined plan in place facilitates swift recovery from any cyber incident. This proactive approach minimizes downtime and mitigates financial losses.

Backup and Recovery: Implementing a robust data backup plan that can be activated as needed proves invaluable in the event of an attack, providing a means to restore essential data and systems.

Threat Intelligence: Despite cost-cutting measures in the face of economic challenges, maintaining in-house expertise or having access to a team of forensic experts is crucial. This ensures swift procedural and recovery measures in the aftermath of a cyber-attack, minimizing losses and facilitating a quicker return to normal operations.

The post How to smartly tackle BlackCat Ransomware group appeared first on Cybersecurity Insiders.

It’s widely known that the Ryhsida Ransomware gang successfully infiltrated the servers of Insomniac, a company specializing in X-Men game development, including the Wolverine series co-developed with Sony Inc. The gang stole crucial data files, totaling 1.67 terabytes, and is now asserting its data breach by gradually releasing the information. Despite not receiving the demanded 50 bitcoins or $2 million, the group has opted to release the stolen data in installments by the year-end, indicating a willingness to sell the information to the highest bidder. The FBI is actively monitoring these developments and is in the process of creating a free decryption tool.

In a contrasting scenario, another ransomware gang, BlackCat, faced a setback when the US Department of Justice directed the FBI to seize its dark web-based URL. BlackCat, also known as ALPHV, managed to regain control of its website and is now demanding a minimum of $4.5 million from its 500-plus victims worldwide. The group plans to double the ransom amount as law enforcement agencies intensify their efforts. In response, the FBI, collaborating with US CERT, has instructed developers to create a free decryption tool for the victims by early January 2024.

HCL Technologies, an IT company specializing in software, made headlines as it experienced a business downgrade by Kotak Institutional Equities due to a ransomware attack. The company’s failure to safeguard customer data led to these business challenges. Despite the malware infecting its cloud environment, HCL Technologies has isolated the threat and is implementing measures outlined in its efficient disaster recovery plan to mitigate risks.

Kaspersky, a Russian-based cybersecurity firm, has identified the Akira Ransomware criminals expanding their global impact by targeting Windows and Linux systems worldwide. Notably, the criminal group has extended its reach to MacOS, considered one of the most secure OS environments provided by Apple Inc. During the holiday season, the threat level has escalated significantly, with cybercriminal gangs engaging in double and triple extortion schemes to secure monetary gains.

The post Ransomware news on FBI, BlackCat, and Game plan release appeared first on Cybersecurity Insiders.

In a groundbreaking development in the realm of ransomware, ALPHV, also known as BlackCAT, has taken an unprecedented step by filing a complaint with the Security and Exchange Commission (SEC) against a victim who failed to adhere to the stipulated rule mandating disclosure of a cyber attack within a 4-day timeframe.

The targeted victim in this case is Meridian Link, a trading company specializing in providing tech solutions to financial institutions and banks. BlackCAT’s recent action indicates an alarming escalation in the tactics employed by cybercriminals, as they venture into publicly shaming their victims. Previously, ransomware groups typically resorted to tactics such as encrypting a victim’s database until a ransom was paid. Subsequently, they elevated their extortion methods by stealing sensitive data and issuing threats to release or sell it, applying pressure on the victim. A further tactic involved threatening to damage the victim’s reputation among competitors, partners, or customers. Now, these criminal entities seem to have reached a new low by formally filing a complaint with the SEC against their victim.

The SEC, however, systematically reviews such complaints, scrutinizing the technical aspects while assessing the credibility of the entity filing the complaint. And in this case, the SEC will collaborate with law enforcement agencies to appropriately address the situation.

ALPHV underscored its audacious move by publishing a screenshot of the complaint form submitted on the SEC website in a public Telegram channel.

In response, MeridianLink has acknowledged the authenticity of the data breach news and has expressed its intention to seek assistance from law enforcement in addressing the matter. Nevertheless, the company has yet to disclose specific details about the breach, including the timing of the cyber attack, when it was identified, and the extent of data loss.

The post ALPHV Ransomware gang files SEC Complaint against a victim appeared first on Cybersecurity Insiders.