The FBI, U.S. Department of Health and Human Services, and the federal Cybersecurity and Infrastructure Security Agency (CISA) are warning the healthcare sector of a resurgence of BlackCat ransomware attacks.
In December of 2023, the administrator of the criminal group encouraged its affiliates to target hospitals. In response, the U.S. government announced financial rewards of up to $15M for information leading to the "identification of key members and affiliates of the e-crime group".
SC magazine reports the group breached "Optum's network by leveraging the recently disclosed critical security flaws in ConnectWise's ScreenConnect remote desktop and access software."
An attack surface management firm, Censys, said, as of February 27, 2024, "it observed no less than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with a majority of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland." "FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks" https://thehackernews.com/2024/02/fbi-warns-us-healthcare-sector-of.html (Feb. 28, 2024).
Commentary
Cybercriminals focus on healthcare organizations because healthcare organizations collect the personal identifiers of their patients. Personal identifiers, like social security numbers, driver license numbers, and healthcare-related information, are valuable on the cyber black market.
All healthcare organizations should consider the BlackCat resurgence as a forewarning of their own potential vulnerability. Not only because multiple government agencies are warning healthcare organizations, but because of the type of exploitation being was used.
Make sure all software is current, including any recent patches. Require password changes, often, as well as use of multi-factor identification.
Please note that the criminals exploited remote desktop and access software. Remote desktop and access software is often exploited to install malware, including ransomware and spyware. Organizations that use remote desktop and access software should continually monitor for reports of exploitation and patch the software when provided.