FBI warns US healthcare sector against targeted BlackCat ransomware attacks

BlackCat Ransomware Attacks

The US government is warning this month of the resurgence of BlackCat (also known as ALPHV) ransomware attacks targeting the healthcare sector.

“As of mid-December 2023, of the nearly 70 leaked victims, healthcare has been the most affected,” the government said. said in an updated opinion.

“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its subsidiaries to target hospitals following operational action against the group and its infrastructure in early December 2023.”

The advice comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of the dark leak sites. But the takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data breach portal that remains active to this day.

It has also been battling critical infrastructure organizations in recent weeks, after claiming responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines and UnitedHealth Group subsidiary. Best.

This development has prompted the US government to announce financial rewards of up to $15 million for information leading to the identification of key members and affiliates of the e-crime group.


BlackCat’s ransomware wave coincides with LockBit’s return after similar disruption efforts led by the UK’s National Crime Agency (NCA) last week.

According to a report from SC Magazine, threat actors breached Optum’s network by exploiting the recently disclosed critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software.

So have the flaws that allow remote code execution on sensitive systems armed by the Black Basta and Bl00dy ransomware gangs and by other threat actors to deliver Cobalt Strike Beacons, XWorm and even other remote management tools like Atera, Syncro and another ScreenConnect client.

Attack Surface Management company Censys said it has observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, most of which are located in the US, Canada, UK, Australia, Germany, France, India, Netherlands, Turkey and Ireland .

BlackCat ransomware

“It’s clear that remote access software like ScreenConnect remains a prime target for threat actors,” said Censys security researcher Himaja Motheram. said.

The findings come from ransomware groups such as RansomHouse, Rhysida and a Phobos variant Mining data have continued compromise various organizations in the US, UK, Europe and the Middle East.

In a sign that these cybercrime groups are moving to more nuanced and advanced tactics, RansomHouse has developed a custom tool called MrAgent to deploy the file-encrypting malware on a large scale.


“MrAgent is a binary file designed to run on [VMware ESXi] hypervisors, for the sole purpose of automating and tracking ransomware deployment in large environments with a large number of hypervisor systems,” says Trellix said. Data from MrAgent came to light for the first time in September 2023.

Another major tactic employed by some ransomware groups is the selling of direct network access as a new method of monetization through their own blogs, on Telegram channels or data leak websites, KELA. said.

It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced on underground forums in December 2023 and has since been made available for free on BreachForums by its creator.

BlackCat ransomware

“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks on Linux systems,” said SentinelOne researcher Jim Walter. said.

“It will likely increase the attractiveness and usefulness of the ransomware builder, attracting even more poorly educated participants into the cybercrime ecosystem. There is also a significant risk that it will lead to the development of multiple spin-offs and an increase in the number of attacks.”

#FBI #warns #healthcare #sector #targeted #BlackCat #ransomware #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
Ivanti VPN Flaws

Chinese hackers exploit Ivanti VPN flaws to deploy new malware

Next Post
Privacy-Compliant Customer Data Platform (CDP)

Build your privacy-compliant customer data platform (CDP) with first-party data

Related Posts