Healthcare Cybersecurity

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.

Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.

Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.

CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.

CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.

CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.

CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.

CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.

CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.

According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:

  • ApexPro Telemetry Server, Versions 4.2 and prior
  • CARESCAPE Telemetry Server, Versions 4.2 and prior
  • Clinical Information Center (CIC), Versions 4.X and 5.X
  • CARESCAPE Telemetry Server, Version 4.3
  • CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
  • B450, Version 2.X
  • B650, Version 1.X; Version 2.X
  • B850, Version 1.X; Version 2.X

GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.

Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.

If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.

The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.

Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.

Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.

The post Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products appeared first on HIPAA Journal.

Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories

The operators of Maze ransomware are following through on their threats to publish data stolen from the victims of ransomware attacks when the ransom is not paid.

In December, the Carrollton, GA-based wire and cable manufacturer Southwire refused to pay a 200 BTC ransom ($1,664,320) and the threat actors went ahead and published some of the stolen data. Southwire filed a lawsuit in the Northern District of Georgia against the Maze team and the ISP hosting the Maze Team’s website. The case was won, and the website was taken offline; however, the website was back online with a different hosting provider a few days later.

Listed on the webpage are the names of the companies that have been attacked and refused to pay the ransom demand, along with some of the data stolen in the attacks.

One of those companies is New Jersey-based Medical Diagnostic Laboratories (MDLab). According to the Maze Team, MD Lab was attacked on December 2, 2019. MD Lab made contact with the Maze team, but negotiations stalled, and no ransom was paid.

According the Maze website, 231 workstations were encrypted in the attack. When MD Lab refused to negotiate, the Maze team went ahead and published 9.5GB of the company’s private research data, including immunology research. The Maze Team then advertised the stolen data on a hacking forum in an attempt to restart negotiations with the company. According to Bleeping Computer, 100GB of data was stolen in the attack. The Maze team have demanded a ransom payment of 100 BTC ($832,880) for the keys to unlock the encrypted files and a further 100 BTC payment to destroy the stolen data.

While threats have been issued in the past to publish data stolen in ransomware attacks, there have been no confirmed cases of attackers following through on their threats until the Maze gang started publishing data in December 2019. Currently, 29 companies are listed on the website as not having paid, along with samples of data stolen in the attacks.

Earlier this month, The Center for Facial Restoration, Inc. announced it had suffered a similar fate following a November 8, 2019 ransomware attack. The attackers stole patient data before deploying ransomware and issued ransom demands to the healthcare provider as well as 10-20 patients. Photographs and personal information of up to 3,500 are believed to have been stolen in the attack.

In order to steal data, access to the network must first be gained and the attackers then need to search for sensitive data and exfiltrate it without being detected. Since these types of attacks require more skill to pull off than a standard ransomware attack, they are likely to remain relatively limited. That said, these data theft incidents are becoming more common. Several ransomware operators, including the Sodinokibi and Nemty gangs, have now adopted this tactic and have been threatening to publish or sell stolen data to pressure victims into paying.

The post Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories appeared first on HIPAA Journal.

CISA Issues Warning About Increase in Emotet Malware Attacks

A warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a recent increase in Emotet malware attacks.

Emotet was first detected in 2014 and was initially developed to steal banking credentials, but it has seen considerable development over the past five years and is now is a highly sophisticated Trojan.

In addition to stealing banking credentials, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules have been added that allow it to propagate via email and download other malware variants. The malware has been used to infect devices with cryptocurrency miners and cryptowallet stealers, the TrickBot banking Trojan, and Ryuk ransomware. These additional payloads are often downloaded weeks, months, or even years after the initial Emotet infection.

Emotet malware is primarily delivered via spam email. Initially, the malware was spread by JavaScript attachments; however, the threat actors behind the malware have now switched to Office documents with malicious macros that run PowerShell commands that download the malware. If the email attachment is opened and content is enabled, Emotet will be silently downloaded and executed. Spam emails containing hyperlinks to malicious websites have also been used to deliver the malware.

Emotet malware is persistent. It inserts itself into running processes and creates registry entries to ensure it is run each time the computer boots. Once a victim’s computer has been infected it is added to the Emotet botnet. The computer will then be used to distribute copies of Emotet to the victim’s contacts via email. According to SecureWorks, Emotet steals the first 8KB of all emails in the inbox. That data is used to craft new messages to contacts containing real message threads and replies are sent to unread messages in the inbox. This tactic increases the likelihood of the recipient opening the message and file attachment. Campaigns have also been detected using email attachments that imitate receipts, shipping notifications, invoices, and remittance notices.

In addition to propagation via email, Emotet enumerates network resources and writes itself to shared drives. It also brute forces domain credentials. If Emotet is detected on one computer, it is probable that several others are also infected. Removing Emotet can be problematic as cleaned devices are likely to be reinfected by other infected computers on the network.

The Emotet botnet was inactive for around 4 months from May 2019 but sprung back to life in September. Emotet activity suddenly stopped again in late December and remained quiet until January 13, 2020 when massive spamming campaigns resumed. Proofpoint detected one spam campaign targeting pharma companies that saw around 750,000 emails sent in a single day.

“If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” warns CISA in its January 22, 2020 alert.

CISA suggests the following steps should be taken to reduce the risk of an Emotet malware attack:

  • Block email attachments that are often associated with malware (.exe, .dll, .js etc.)
  • Block email attachments that cannot be scanned by anti-virus software (e.g. .zip, .rar files)
  • Implement Group Policy Object and firewall rules.
  • Ensure anti-virus software is installed on all endpoints
  • Ensure patches are applied promptly and a formalized patch management process is adopted
  • Implement filters at the email gateway
  • Block suspicious IP addresses at the firewall
  • Restrict the use of admin credentials and adhere to the principle of least privilege
  • Implement DMARC
  • Segment and segregate networks
  • Limit unnecessary lateral communications

Detailed CISA guidance on blocking Emotet and remediating attacks can be found on this link.

The post CISA Issues Warning About Increase in Emotet Malware Attacks appeared first on HIPAA Journal.

Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities

Microsoft has issued patches for several critical vulnerabilities in all supported Windows versions that require urgent attention to prevent exploitation. While there have been no reports of exploitation of the flaws in the wild, the seriousness of the vulnerabilities and their potential to be weaponized has prompted both the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to issue emergency directives about the vulnerabilities.

One of the vulnerabilities was discovered by the National Security Agency (NSA), which took the unusual step of reporting the vulnerability to Microsoft. This is the first time that a vulnerability has been reported by the NSA to a software vendor.

Windows CryptoAPI Vulnerability Requires Immediate Patching

The NSA-discovered vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Server 2016/2019 systems. The vulnerability is due to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. The flaw would allow a remote attacker to sign malicious code with an ECC certificate to make it appear that the code has been signed by a trusted organization.

The vulnerability could also be exploited in a man-in-the-middle attack. Malicious certificates could be issued for a hostname that did not authorize it and applications and browsers that rely on the Windows’ CryptoAPI would not issue any warnings or alerts. A remote attacker could exploit the flaw and decrypt, modify, or inject data on user connections undetected.

There are no reported cases of exploitation of the vulnerability, but the NSA believes it will not take long for advanced persistent threat (APT) groups to understand the underlying flaw and weaponize the vulnerability, hence the decision to report the flaw to Microsoft.

According to the NSA, “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Critical RCE Vulnerabilities in Windows Remote Desktop

Three pre-authentication vulnerabilities in Windows Remote Desktop have been patched by Microsoft. Two of the vulnerabilities – CVE-2020-0609 and CVE-2020-0610 – could allow a remote attacker to connect to servers and remotely execute arbitrary code without any user interaction. After exploiting the flaws they could install programs, view, change, or delete data, or create new accounts with full admin rights. The flaws could be exploited by sending a specially crafted request to a vulnerable server.

The third vulnerability – CVE-2020-0612 – could be exploited in a similar fashion and could allow an attacker to perform a denial of service attack and crash the RDP system.

The vulnerabilities are present in the RDP Gateway Server and Windows Remote Desktop Client and affect all supported versions of Windows and Windows Server.

Emergency Directives Issued by DHS and OCR

The Department of Homeland Security has determined the vulnerabilities to pose an unacceptable risk to the Federal enterprise and has issued an emergency directive (20-02) to all federal agencies calling for the patches to be applied on all affected endpoints within 10 business days and for technical and/or management controls to be put in place for newly provisioned or previously disconnected endpoints.

The seriousness of the vulnerabilities has prompted the HHS’ Office for Civil Rights to issue an emergency directive of its own to the healthcare industry and public sector. All healthcare and public health entities have been advised to apply the patches as soon as possible to ensure the vulnerabilities are not exploited.

The post Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities appeared first on HIPAA Journal.

DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Pulse Secure customers urging them to patch the 2019 Pulse Secure VPN vulnerability, CVE-2019-11510.

Pulse Secure VPN servers that have not been patched are continuing to be attacked by cybercriminals. The threat actors behind Sodinokibi (REvil) ransomware are targeting unpatched Pulse Secure VPN servers and are exploiting CVE-2019-11510 to install ransomware. Several attacks have been reported in January 2020. In addition to encrypting data, the attackers are stealing and threatening to publish victims’ sensitive information. Last week data belonging to Artech Information Systems was published when the ransom was not paid.

CISA continues to see widespread exploitation of the flaw by multiple threat actors, including nation-state sponsored advanced persistent threat actors, who are exploiting the flaw to steal passwords, data, and deploy malware.

Exploitation of the vulnerability can allow a remote, unauthenticated attacker to gain access to all active VPN users and obtain their plain-text passwords. According to CISA, an attacker may also be able to execute arbitrary code on VPN clients when they successfully connect to an unpatched Pulse Secure VPN server.

Pulse Secure issued an advisory about the vulnerability on April 24, 2019 and patches were released to fix the flaw on all affected Pulse Connect Secure and Pulse Policy Secure versions, yet many organizations have been slow to apply the patches. Since there are no mitigations or workarounds that can be implemented to prevent exploitation of the vulnerability, the only solution is to apply the patches released by Pulse Secure.

CISA has urged all organizations to apply the patches as soon as possible to prevent exploitation of the vulnerability. It has been estimated that around 10% of Pulse Secure customers have not yet applied the patch and are vulnerable to attack.

The post DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability appeared first on HIPAA Journal.

Support for Windows 7 Finally Comes to an End

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end.

The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware.

Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019.

Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule.

The natural solution is to update Windows 7 to Windows 10, although that may not be straightforward. In addition to purchasing licenses and upgrading the operating system, hardware may also have to be upgraded and some applications may not work on newer operating systems. The upgrade is therefore likely to be a major undertaking that may take a great deal of time.

If upgrading Windows 7 devices and Windows 2008 servers is not possible, steps should be taken to protect the devices and reduce the likelihood of a compromise and the impact of a cyberattack.

Steps to take to reduce the likelihood of a compromise include preventing the Windows 7 devices from accessing untrusted content. That means not using the devices for accessing email and browsing the internet and portable storage devices and removable media should not be used.

Local administrator rights should be removed from all Windows 7 devices and firewall protection should be strengthened. The devices should not be used for accessing sensitive data, such as protected health information and any sensitive data stored on the devices should be moved to devices running supported operating systems.

Since there is a greater chance of a malware infection on devices running unsupported operating systems, it is essential for anti-virus software to be installed and for it to be kept up to date. Regular scans should be conducted on the devices for malware and the devices should be monitored for potential cyberattacks in progress.

Microsegmentation can help to limit the harm caused in the event of a compromise. All devices running unsupported operating systems should be isolated from other networks and the devices should only be allowed to access critical services. Access to core servers and systems should be removed. It is also strongly advisable to review and revise business continuity plans to ensure that in the event of a compromise, critical business operations can continue. While it is costly to pay for extended support it is strongly recommended.

These measures can reduce risk, but they will not eliminate it. Organizations should therefore be accelerating their plans to upgrade their operating systems and hardware. Moving to a supported operating system is the only way to ensure devices remain secure.

The post Support for Windows 7 Finally Comes to an End appeared first on HIPAA Journal.

DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a recently discovered vulnerability in the Citrix Application Delivery Controller and Citrix Gateway web server appliances.

Exploitation of the vulnerability – tracked as CVE-2019-19781 – is possible over the internet and can allow remote execution of arbitrary code on vulnerable appliances. Exploitation of the flaw would allow a threat actor to gain access to the appliances and attack other resources connected to the internal network. Some security researchers have described the bug as one of the most dangerous to be discovered in recent years.

The alert, issued on January 8, 2019, urges all organizations using the affected Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to apply mitigations immediately to limit the potential for an attack, and to apply the firmware updates as soon as they are released later this month.

Two proof of concept exploits have already been published on GitHub which makes exploitation of the flaws trivial. Scans for vulnerable systems have increased since the publication of the exploits on Friday by Project Zero India and TrustedSec and attacks on honeypots setup by security researchers have increased in frequency over the weekend.

Worldwide there are approximately 80,000 companies in 158 countries that need to apply mitigations to correct the vulnerabilities. Approximately 38% of vulnerable organizations are located in the United States.

The flaws are present in all supported versions of the Citrix Application Delivery Controller and Citrix Gateway web server – versions 13.0, 12.1, 12.0, 11.1, and 10.5 – which include Citrix NetScaler ADC and NetScaler Gateway.

The path traversal bug was discovered by UK security researcher Mikhail Klyuchnikov who reported it to Citrix. The flaw can be exploited over the internet on a vulnerable appliance without the need for authentication. All that is required to exploit the flaw is to find a vulnerable appliance and send a specially crafted request along with the exploit code.   The bug is being referred to as Shitrix by security researchers on cybersecurity forums.

Currently there is no patch available to correct the flaw. Citrix will be issuing a firmware upgrade later this month to correct the vulnerability, which is currently scheduled for release on January 20, 2020 for firmware versions 11.1 and 12.0, January 27, 2020 for versions 12.1 and 13.0, and January 31, 2020 for version 10.5.

In the meantime, it is essential for configuration changes to be applied to make it harder for the vulnerability to be exploited. These can be found on Citrix Support Page CTX267679.

Since the flaw is currently under active attack, after applying mitigations it is important to check to make sure the flaw has not already been exploited.

TrustedSec, which held back on publishing its PoC exploit code until an exploit had already been released on GitHub, has developed a tool that can be used to identify vulnerable Citrix instances on networks and has published potential indicators of compromised Citrix hosts.

The post DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild appeared first on HIPAA Journal.

Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020

Healthcare industry data breaches are occurring more frequently than ever before. The healthcare data breach figures for 2019 have yet to be finalized, but so far 494 data breaches of more than 500 records have been reported to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst ever year for healthcare data breaches and the second worst in terms of the number of breached healthcare records.

The healthcare industry now accounts for around four out of every five data breaches and 2020 looks set to be another record-breaking year. The cost to the healthcare industry from those breaches is expected to reach $4 billion in 2020.

The poor state of healthcare cybersecurity was highlighted by a survey of healthcare security professionals conducted in late 2019 by Black Book Market Research. The survey was conducted on 2,876 security professionals from 733 provider organizations to identify cybersecurity gaps, vulnerabilities, and deficiencies in the healthcare industry.

The survey revealed more than 93% of healthcare organizations experienced a data breach between Q3, 2016. 57% of surveyed healthcare providers experienced more than 5 breaches in that period. Even though there is a high risk of a data breach being suffered, investment in cybersecurity is nowhere near the level it needs to be.

“It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue,” said Doug Brown, founder of Black Book. According to 90% of hospital representatives surveyed, IT security budgets have remained level since 2016.”

The survey revealed hospital systems have increased their cybersecurity budgets to around 6% of their IT spend but spending on cybersecurity by physician organizations has decreased since 2018 and now stands at less than 1% of their IT budget.

When money is spent on cybersecurity, solutions are often purchased blindly or with little vision or discernment. The survey showed that between 2016 and 2018, 92% of data security purchase decisions were made by the C-suite without any users or affected department managers being involved in the purchasing decision.

Despite the threat of attack, 92% of healthcare organizations lack full time cybersecurity professionals and only 21% of hospitals said they had a dedicated security executive. Only 6% of those respondents said that individual was the Chief Information Security Officer (CISO). Physician groups are much less likely to have a CISO. Only 1.5% of physician groups with more than 10 clinicians said they had a dedicated CISO.

More CISOs and cybersecurity professionals are sorely needed, but it is unclear where those individuals will come from due to a nationwide shortage of skilled cybersecurity professionals. In the meantime, cybersecurity is having to be outsourced to managed service providers as a stop-gap measure.

Other key findings of the survey include:

  • 96% of IT professionals said threat actors are outpacing medical enterprises
  • More money is being spent on marketing to repair damaged reputations after a breach than is spent on combating the consequences of data breaches.
  • 35% of healthcare organizations did not scan for vulnerabilities before an attack
  • 87% of healthcare organizations have not had a cybersecurity drill with an incident response process
  • 40% of providers surveyed do not carry out measurable assessments of their cybersecurity status.
  • 26% of hospital respondents and 93% of physician organizations currently report they do not have an adequate solution to instantly detect and respond to an organizational attack.

The post Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020 appeared first on HIPAA Journal.

FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.

Last week, the Federal Bureau of Investigation (FBI) issued a flash alert warning private companies in the United States about the threat of attacks involving Maze ransomware. The warning came just a few days after the FBI issued an alert about two other ransomware variants, LockerGoga and MegaCortex.

The Maze ransomware TLP: Green warning is not intended for public distribution as it provides technical details about the attacks and indicators of compromise which can be used by private firms to prevent attacks. If published in the public domain, it could aid the attackers.

In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice.

Maze ransomware was first identified in early 2019, but it was not until November 2019 when the first attacks hit companies in the United States. Those attacks have been increasing in recent weeks.

When network access is gained, data is exfiltrated prior to file encryption. A ransom demand is then issued specific to the organization. The attackers claim they will supply the keys to decrypt files and will destroy all data they stole in the attack. The attackers warn their victims that if payment is not made before the deadline is reached, they will start publishing the stolen data.

Maze ransomware was used in a recent attack on the City of Pensacola. When the ransom was not paid the attackers started publishing the stolen data. In December, the Carrollton, GA-based wire and cabling firm, Southwire, was attacked with Maze ransomware. An 850 BTC ($6 million) ransom demand was issued for the keys to decrypt files. The attackers said they had stolen data and threatened to publish it if the ransom was not paid. When no payment was received, the attackers created a website with an Irish ISP and started publishing the data.

Southwire successfully obtained a court injunction in Ireland forcing the ISP to take down the website that was being used by the Maze gang to publish its data. That website is now offline. Southwire also filed a lawsuit against the hackers in federal court in Georgia. Southwire alleges violations of the U.S. Computer Fraud and Abuse Act and is seeking injunctive relief and damages. Since the attackers are unknown, the lawsuit was filed against ‘John Doe.’

According to CyberScoop, which obtained a copy of the FBI alert, the threat actors use a variety of methods to attack businesses, including malicious cryptocurrency websites, malspam and phishing campaigns impersonating government agencies and security vendors, and ransomware downloads via exploit kits such as Fallout.

The FBI has urged private companies in the United States to heed its warning and take steps to strengthen their defenses and address vulnerabilities. In the event of an attack, the FBI does not recommend paying the ransom as there is no guarantee that valid keys to decrypt data will be supplied or that the stolen data will be destroyed.

The post FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S. appeared first on HIPAA Journal.