The US government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks against the healthcare sector as recently as this month.
“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been most commonly affected,” the government said in an updated advisory.
“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals following an operational action against the group and its infrastructure in early December 2023.”
The alert comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).
The BlackCat ransomware operation suffered a major blow late last year, after a coordinated law enforcement operation led to the seizure of its dark escape sites. But the takedown proved to be a failure after the group managed to regain control of the sites and moved to a new TOR data leak portal that continues to remain active to this day.
It has also stepped up against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines and UnitedHealth Group subsidiary Optum.
This development has prompted the US government to announce financial rewards of up to $15 million for information leading to the identification of key members and affiliates of the e-crime group.
The BlackCat ransomware surge coincides with the return of LockBit following similar disruption efforts led by the UK’s National Crime Agency (NCA) last week.
According to a report from SC Magazine, threat actors breached Optum’s network by exploiting recently revealed critical security flaws in ConnectWise’s ScreenConnect remote desktop and login software.
The flaws, which allow remote code execution on sensitive systems, have also been weaponized by the Black Basta and Bl00dy ransomware gangs, as well as other threat actors to deliver Cobalt Strike Beacons, XWorm and even other remote management tools such as Atera, Syncro and another ScreenConnect client.
Attack surface management firm Censys said it observed more than 3,400 potentially vulnerable ScreenConnect hosts online, most of them located in the United States, Canada, United Kingdom, Australia, Germany, France, India, Netherlands, Turkey and Ireland.
“It’s clear that remote access software like ScreenConnect continues to be a prime target for threat actors,” said Himaja Motheram, security researcher at Censys.
The findings come as ransomware groups such as RansomHouse, Rhysida and a Phobos variant called Backmydata have continued to compromise various organizations in the US, UK, Europe and the Middle East.
Demonstrating that these cybercrime groups are moving toward more nuanced and sophisticated tactics, RansomHouse has developed a custom tool called MrAgent to deploy file-encrypting malware at scale.
“MrAgent is a binary designed to run [VMware ESXi] hypervisor, with the sole purpose of automating and monitoring ransomware distribution in large environments with large numbers of hypervisor systems,” Trellix said. MrAgent Details came to light for the first time in September 2023.
Another significant tactic adopted by some ransomware groups is selling direct network access as a new method of monetization via their own blogs, on Telegram channels or on data leak websites, KELA said.
It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which emerged in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.
“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems,” said SentinelOne researcher Jim Walter.
“It is likely to increase the attractiveness and usability of the ransomware developer, attracting even more low-skilled participants into the cybercrime ecosystem. There is also a significant risk that it will lead to the development of multiple spin-offs and an increase of attacks.”