The ALPHV/BlackCat ransomware gang is targeting the healthcare sector following its threats to retaliate against law enforcement interference, according to a joint advisory by the FBI, CISA and HHS released Tuesday.
The group claimed responsibility for a recent attack on Change Healthcare, saying it stole 6TB of data, the information reportedly stolen includes Change Healthcare solution source codes and data on thousands of healthcare providers, pharmacies and insurance providers.
The joint advisory on ALPHV/BlackCat is an update to a Dec. 19 advisory that was published in conjunction with a Justice Department announcement that the FBI had disrupted the ransomware-as-a-service (RaaS) group and seized several of its websites.
ALPHV/BlackCat subsequently unseized its website and posted a message to its affiliates stating that, due to the FBI’s actions, it would remove its restriction on attacking critical infrastructure. The message specifically named hospitals and nuclear power plants as potential targets.
The U.S. Department of State is currently offering a $10 million reward for information on the identity and location of ALPHV/BlackCat leaders, as well as an additional $5 million for information leading to the arrest or conviction of any of the gang’s affiliates.
The group uses advanced social engineering and remote access tools. Affiliates often pose as IT technicians or helpdesk staff to obtain credentials from employees for initial access, then deploy remote access software like AnyDesk, Mega sync or Splashtop to assist with data exfiltration, according to the FBI and CISA.
ALPHV/BlackCat affiliates also use the open-source adversary-in-the-middle attack framework Evilginx2 to obtain MFA credentials, login credentials and session cookies from the victim’s system, and move laterally throughout networks by obtaining passwords from domain controllers, local networks and deleted backup servers, the advisory states.
The group has claimed to use the legitimate red team simulation tools Brute Ratel C4 and Cobalt Strike as beacons to its command-and-control (C2) servers.
Use of FIDO/WebAuthn authentication or public key infrastructure (PKI)-based MFA is also advised due to its resistance to phishing, push bombing and SIM swapping tactics, utilized by ALPHV/BlackCat.
