It became clear across the healthcare cybersecurity landscape this week that the specter of a potential double-extortion attack by RansomHub is looming over Change Healthcare, following the February cyberattack by ALPHV.
Further, a whirlwind of news on LockBit starts a complicated tale of international espionage and potential new threats to healthcare organizations from this group. We spoke to several cybersecurity leaders this week for healthcare’s takeaways.
Double extortion for Change Healthcare
Multiple sources reported the RansomHub ransomware-as-a-service group claimed possession of 4TB of stolen Change Healthcare data and was threatening to make it public unless a ransom was paid.
“Double extortion actually seems completely in line with what they might do,” Joel Burleson-Davis, senior vice president of worldwide engineering of cyber at Imprivata, said by email Friday.
“The other dynamic is that these are business models, so if they want payout, they need to hold up their end of the bargain, sort of like a contract situation. Double extortion is like a risk/reward scenario for their future business model,” he explained.
Last month, SOCRadar posted a RansomHub profile and reported that, in contrast to other ransomware groups, the group’s ransom payments are initially sent to affiliates for a take of 90%.
Meanwhile, vx-underground, a trove of malware source code samples and information, according to its X profile, said Monday that ALPHV affiliates moved to RansomHub.
“Change Healthcare and UnitedHealth, you have one chance to protecting your clients data. The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted,” the group allegedly posted Monday, according to a screenshot a group called Dark Web Informer shared on X.
Also on the alleged RansomHub dark website page, the group added, “We have the data and not ALPHV.”
The Department of Justice announced it seized ALPHV Blackcat in December, but then the Blackcat group claimed responsibility for the Change Healthcare attack in February and reported having medical, insurance and dental records, along with payment and claims data and the personally identifiable information of patients, along with U.S. military/navy personnel data.
In March, ALPHV listed the ransom payment, and the site shut down with a second law enforcement seizure, notices the investigating agencies denied posting.
Whether the group is a related or unrelated set of threat actors trying to get UnitedHealth Group to pay more than the $22 million worth of Bitcoin it may have already paid to help restore Change Healthcare systems and release strain on providers after the ransomware outage, the potential to leak the enormous trove of protected health data is alarming for the entire healthcare ecosystem.
Greg Surla told Healthcare IT News Thursday the risk of such a large-scale data breach on healthcare organizations is “complex and disturbing.”
“This new threat of data exposure from a second party reinforces the importance of business-continuity planning as it may be difficult to predict when an attack is truly over,” he stressed by email.
“Furthermore, the latest developments intensify the need to ensure that PHI is protected using strong security controls, aligned with industry best practices and any breaches are reported to [U.S. Health and Human Services] and affected individuals without significant delay following a breach.”
Burleson-Davis added that a potential double-extortion scenario is “why we need more regulations around third-party access” and robust security programs, like privileged access-management tools, that “can avoid some of this stuff.”
“[UHG] has likely done as much forensics as possible and if they had an undetected second breach, it really could be a second actor acting. But what’s to say there’s not a third, or fourth?” he explained to Healthcare IT News.
“The fact that there’s additional activity that looks like a second breach or a double extortion means that they are still in the thick of this and not out of the woods yet,” he added. “If there’s many different actors present in their system now, the road to recovery will be way longer, way more expensive and way more impactful.
“How do they know they’re clean? This creates a giant risk profile.”
SC Media noted in its report Monday that RansomHub is giving UHG and Optum 12 days to pay, or will leak Change Healthcare’s data.
Researchers unravel LockBit
In February, DOJ and the U.S. Federal Bureau of Investigation announced an international team of law enforcement officials collaborated through a coordinated government-led ransomware defense campaign called Operation Cronos and seized the Lockbit ransomware gang servers, providing decryptors to numerous organizations across sectors.
Lockbit, a ransomware group known to attack healthcare organizations – although it apologized to Toronto-based SickKids and offered a decryptor in 2023 – appears it will not go down without a fight.
Last week, Trend Micro released details on how LockBit operated after the disruption of Operation Cronos. The company said, while attempting to stay afloat with a new version, as the group is most likely working on LockBit 4.0, it may have recently released the variant LockBit-NG-Dev.
After researching the threat actors associated with the group, Trend Micro researchers said they question LockBit’s ability to attract top affiliates, based on the group’s “logistical, technical and reputational” failures in 2023.
There was also speculation on Thursday that LockBit is rebranding as DarkVault, according to a Cybernews report.
Meanwhile, an unnamed source told Bloomberg Wednesday that law enforcement investigators have linked pseudonyms used by the LockBit hacking gang to specific individuals, and are tracking down a list of 200 leads to LockBit associates.
The DOJ also said, when it announced the seizure of LockBit’s assets, that it unsealed indictments in New Jersey and California for the Russian nationals Artur Sungatov and Ivan Kondratyev, also known as the cybercriminal Bassterlord, for deploying LockBit against numerous victims throughout the United States.
Sungatov and Kondratyev are not in custody but have been sanctioned by the U.S. Treasury, according to a February story in TechCrunch, meaning any connection by any U.S. business or individual to paying them runs the risk of fines and/or criminal prosecution.
Microsoft CVEs double in April
The Cybersecurity and Infrastructure Security Agency issued an emergency directive last week to address the impact on federal agencies from a breach of Microsoft.
“The Russian state-sponsored cyber actor known as Midnight Blizzard has exfiltrated email correspondence between Federal Civilian Executive Branch agencies and Microsoft through a successful compromise of Microsoft corporate email accounts,” CISA said in the April 2 announcement.
The FCEB agencies are required to “analyze the content of exfiltrated emails, reset compromised credentials and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure,” the top U.S. cybersecurity agency said.
It’s a big month for Microsoft security common vulnerabilities and exposures that all sectors, including healthcare IT, should pay attention to.
Tyler Reguly, senior manager of security research and development at security firm Fortra, said on Patch Tuesday this week that the 149 CVEs Microsoft issued in April will keep enterprises busy.
“We saw 56, 73 and 61 Microsoft-issued CVEs released for January, February and March,” he said by email.
“What is most notable is that a third of the vulnerabilities reference either Microsoft Security Boot or Microsoft SQL Server. Additionally, Azure features, including Microsoft Defender for [Internet of Things], account for 15 of the CVEs patched this month,” he added.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
