On November 6, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note about a ransomware group targeting healthcare and public health (HPH).
Experts warn that the BlackSuit ransomware group is likely a newer version or a “rebrand” of two prior dangerous ransomware groups: Conti and Royal. All three are known for attacking Windows and Linux operating systems. Cybersecurity experts have also noted code overlaps and similarities in intrusion techniques among the three groups.
According to the American Hospital Association (AHA), Royal and Conti have been “responsible for high-impact ransomware attacks against U.S. hospitals and health systems, resulting in major disruptions to health care delivery and risk to patient safety.”
Major Recent Ransomware Incident Raises Alarms
So far, targets have been in healthcare, manufacturing, business technology, business retail, and government sectors. But an October ransomware attack on an unnamed healthcare entity was attributed to BlackSuit, raising alarms.
“The ransomware attack was significant, as the victim provides medical scans and radiology services for almost 1,000 hospitals and health systems in 48 states. The initial impact of the attack caused the victim to shut down computer systems and turn away patients at fixed-site locations. No further details are known at this time, although given the ubiquitous geographic presence of the victim, significant impacts could still follow. Given both Royal and Conti’s longstanding record of targeting this particular sector, if BlackSuit’s ties to either of the two groups is confirmed, then the healthcare industry should anticipate more attacks to come.” (italics added for emphasis)
Although the analyst note did not name the healthcare entity hit by BlackSuit, an internet search indicates it may have been Florida-based Akumin, Inc., which provides medical scans and radiology services for about 1,000 hospitals and health systems. DataBreaches.net reported about Akumin on October 25.
CISA Issues Second Alert
A week after the HC3 alert, the Cybersecurity Infrastructure Security Agency (CISA) published an alert about Royal ransomware. CISA warns that Royal, and possibly BlackSuit, gain access to victims’ systems using
- Phishing through email,
- Unprotected remote desktop protocols (RDPs),
- Public-facing applications, and
- Exploitation of brokers’ credentials.
Royal has been aggressive over the last year. Since September 2022, Royal has targeted over 350 known victims worldwide, and ransomware demands have exceeded $275 million. Royal conducts data exfiltration and extortion before encryption and then publishes victim data to a leak site if a ransom is not paid.
Protect Your Data Now
Stay ahead of the cyber thieves with good cybersecurity defenses and robust HIPAA compliance.
These alerts from HC3 and CISA contain detailed guidance for IT staff to defend against recent new threats. Read them to learn specific targeted strategies.
However, there are vital steps you can take today without knowing all the details:
- Prioritize remediating known exploited vulnerabilities.
- Train users to recognize and report phishing attempts.
- Enable and enforce multifactor authentication.
For more, visit StopRansomware.gov