FBI and CISA Alert Healthcare Sector of Targeted BlackCat Ransomware Attacks

February 27, 2024

The FBI, CISA, and Department of Health and Human Services (HHS) have sounded an alarm to U.S. healthcare entities about specific ALPHV/Blackcat ransomware attacks.

The joint advisory states, "ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector." This alert follows a previous FBI flash alert in April 2022 and another advisory in December 2023 detailing the activity of the BlackCat cybercrime group, which emerged in November 2021, suspected as a rebranded version of the DarkSide and BlackMatter ransomware entities.

In its initial four months of operations, from November 2021 to March 2022, the FBI associated BlackCat with over 60 breaches. The group reportedly accumulated at least $300 million in ransoms from over 1,000 victims until September 2023.

The joint advisory issued today by the three federal agencies highlights that since mid-December 2023, the healthcare sector has been the most frequently victimized, likely due to the ALPHV Blackcat administrator's post encouraging affiliates to target hospitals.

The FBI, CISA, and HHS have recommended that critical infrastructure organizations take necessary steps to minimize the likelihood and impact of Blackcat ransomware and data extortion incidents. They have also urged healthcare organizations to adopt cybersecurity safeguards to counter the tactics, techniques, and procedures commonly used within the Healthcare and Public Health (HPH) sector.

The advisory was issued following an incident linking the BlackCat ransomware operation to a cyberattack on UnitedHealth Group subsidiary Optum, which caused an ongoing outage affecting Change Healthcare, the largest payment exchange platform connecting doctors, pharmacies, healthcare providers, and patients in the U.S. healthcare system.

While UnitedHealth Group VP Tyler Mason did not confirm the BlackCat link, he stated that 90% of the 70,000+ pharmacies using the affected platform have transitioned to new electronic claim processes.

The advisory did not directly link the Change Healthcare incident, but it shared indicators of compromise that confirm reports that the BlackCat ransomware group is targeting vulnerable ScreenConnect servers for remote access into victim networks, exploiting the critical ScreenConnect auth bypass vulnerability (CVE-2024-1709).

In December, the FBI disrupted the BlackCat group's operations by disabling its Tor negotiation and leak sites. The gang's servers were also compromised, allowing law enforcement to create a decryptor using keys collected during a months-long intrusion. BlackCat has since restored their sites and moved to a new Tor leak site not yet taken down by the FBI.

The U.S. State Department offers rewards of up to $10 million for information leading to the identification or location of BlackCat gang leaders and $5 million for tips on individuals connected to the group's ransomware attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.