You could save hundreds of thousands of dollars by learning more about two growing cybersecurity threats to healthcare: LockBit 3.0 and Black Basta. Alerts about both groups have been published recently by the Health Sector Cybersecurity Coordination Center (HC3). The alerts contain advice about key mitigation steps you can take to prevent a successful ransomware attack.
LockBit and Black Basta are two of the most active and aggressive ransomware groups operating today. They conduct their own attacks, but also share their techniques with other criminal groups for a share in profits. They’re sophisticated, operate like successful businesses and make huge profits.
Both use malicious software designed to block user access to computer systems in exchange for a ransom payment.
In December, 2022, the Health Sector Cybersecurity Coordination Center (HC3) issued an Analyst Note explaining:
“LockBit 3.0 is the newest version of the LockBit ransomware that was first discovered in September 2019. The ransomware family has a history of using the Ransomware-as-a-Service (RaaS) model and typically targets organizations that could pay higher ransoms. Historically, this ransomware employs a double extortion technique where sensitive data is encrypted and exfiltrated. The actor requests payment to decrypt data and threatens to leak the sensitive data if the payment is not made. With the new release, it appears that the ransomware is using a triple extortion model where the affected victim may also be asked to purchase their sensitive information. Since its appearance, HC3 is aware of LockBit 3.0 attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, LockBit 3.0 should be considered a threat to the HPH sector.”
Last week a new cybersecurity advisory about LockBit was issued jointly by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC).
The top three mitigation steps listed in the latest advisory are:
- Prioritize remediating known exploited vulnerabilities.
- Train users to recognize and report phishing attempts.
- Enable and enforce phishing- resistant multifactor authentication.
The advisory contains a long list of other defensive measures that every organization should consider (e.g., have a recovery plan, segment networks, use NIST standards for password policies, keep operating systems and software up-to-date, etc.)
HC3 is also warning the healthcare sector of the threat posed by Black Basta, a Russian-speaking ransomware-as-a-service group.
Because Black Basta is so effective and became successful fast — the group targeted 20 institutions in its first two weeks of existence — HC3 analysts say that Black Basta may be a rebrand of the Russian-speaking ransomware group Conti.
The group employs a double extortion method to steal data, according to the HC3 warning alert.
“Black Basta’s high-volume attacks in 2022 suggest that they will continue to attack and extort organizations.As ransomware as a service threat groups become more prolific, healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks. Organizations can take several multilayered actions to minimize their exposure to and the potential impact of a ransomware attack.”
The HC3 warning lists several resources to guide cybersecurity measures to fight Black Basta:
And, for a more technical description: KROLL – Black Basta Technical Analysis
If Ransomware Hits
Hopefully you won’t by victimized by a ransomware attack. The more defenses you put in place, the less likely it will happen. Prevention is far less costly than recovery from an attack.
But if it does happen, cybersecurity experts advise not to pay and not to negotiate with the criminals. Notify the FBI immediately and begin an investigation to find out what happened and the extent of the damage. If protected health information was affected, conduct a breach risk assessment and follow the Breach Notification Rule.
Remember that HHS considers a ransomware attack to be a presumed breach. Although the breach risk assessment is not mandatory, every ransomware attack should be evaluated to help guide next steps.