The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health (HPH) sector about Royal ransomware attacks. Royal ransomware is a new ransomware threat that was first observed being used in attacks in September 2022. Attacks have been increasing and organizations in the HPH sector have been targeted.

Many ransomware threat actors run ransomware-as-a-service operations, where affiliates are recruited to conduct attacks for a percentage of the profits; however, Royal ransomware appears to be a private group, whose members have previously worked for other ransomware operations. Microsoft says a threat actor it tracks as DEV-0569 has been observed conducting Royal ransomware attacks, although several other actors are also part of the group.

The threat actors conducting the attacks are experienced and innovative, have been using new techniques and evasion tactics, and deliver a variety of post-compromise payloads. Like most other ransomware operations, Royal ransomware attacks involve data theft, with the threat actors publishing the stolen data if the ransom is not paid. The group is known to use hijacked Twitter accounts to send information to journalists to get media coverage to increase the pressure on victims. The ransom amount is often sizable, ranging from $250,000 to $2 million in the attacks conducted so far.

Once initial access has been gained to a victim’s network, the group deploys Cobalt Strike for persistence, harvests credentials, and moves laterally within networks. Shadow copies are deleted to hamper any attempt to recover files without paying the ransom, sensitive data is exfiltrated, then files are encrypted. Files may be fully or only partially encrypted, with the latter the faster option. Both will prevent files from being opened. An analysis of the ransomware showed the BlackCat ransomware encryptor was initially used, although this has now been changed to the group’s own encryptor (Zeon). The ransom note generated is similar to the note used in Conti ransomware attacks, which suggests there may be a link to that now-defunct ransomware operation.

Various methods are used to gain initial access to victims’ networks. The group uses malvertising – malicious adverts – to direct traffic to a site where a malicious file is downloaded, including Google Ads. The group has also been observed conducting phishing attacks with malicious URLs in the emails, and the malicious URL has been added to a variety of blog and forum posts. Malicious installer files have also been added to repositories and websites that claim to offer free software.

The group has also been observed compromising unpatched software vulnerabilities, vulnerabilities in VPN servers, credential abuse, and compromising Remote Desktop Protocol (RDP). The group also uses social engineering to trick people into installing remote access software in callback phishing attacks, impersonating software providers and food delivery services.

HC3 has shared indicators of Compromise (IoCs) in the alert to help network defenders identify intrusions.

The post Healthcare Organizations Warned About Royal Ransomware Attacks appeared first on HIPAA Journal.

Sen. Mark Warner (D-Va) recently published a white paper framing cybersecurity as a patient safety issue. The paper suggested several policy updates that could help improve healthcare cybersecurity and encourage healthcare organizations to invest more in cybersecurity, such as the introduction of an incentive program similar to the Meaningful Use program that rewards healthcare providers that make cybersecurity improvements.

Healthcare cybersecurity has never been as important as it is today and, as Warner explained, cybersecurity in healthcare “is exponentially growing in importance.” Warner says the white paper is a starting point to open up a discussion about changes that can be implemented to improve cybersecurity in the sector, rather than a blueprint for change.

At the heart of the white paper are three major challenges – The first is to improve federal oversight and appoint a leader with overall control or authority, rather than the current mishmash of agencies that have responsibilities related to healthcare cybersecurity. Then a change in mindset is required, where cybersecurity is viewed as a patient safety issue rather than a secondary concern. Cybersecurity needs to be baked into healthcare, not bolted on as an afterthought. Finally, and perhaps the biggest challenge to overcome is the current staffing shortage. There are simply not enough skilled workers to fill the cybersecurity roles in healthcare, so investment is needed in training and retention, especially since salaries in healthcare are typically lower than in other sectors. Together, solving these issues will be a major challenge.

Sen. Warner sought feedback from healthcare industry stakeholders on the white paper, with the comment period officially coming to an end on December 1, 2022; however, since the white paper covers such important issues, the deadline has been extended.

The white paper has received considerable praise from industry leaders, with the American Hospital Association and CHIME and AEHIS agreeing with many of the suggestions. Both have written to Sen Warner and have provided feedback and recommendations to better support their members.

AHA Feedback on Cybersecurity is Patient Safety White Paper

The AHA said “hospitals and health systems have prioritized protecting patients and defending their networks from cyberattacks. However, they need support from the federal government as the field continues to face targets from sophisticated cyber adversaries and nation-states.”

With respect to leadership, the AHA supports the appointment of a senior cybersecurity leadership role within the HHS and recommends better coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA), such as by improving delineation of specific authorities, roles, and responsibilities. The AHA confirmed it supports the Healthcare Cybersecurity Act, which authorizes cybersecurity training for the Healthcare and Public Health (HPH) sector, and calls for an analysis of cybersecurity risks faced by the HPH sector, especially regarding the impacts to rural hospitals, vulnerabilities of medical devices, and cybersecurity workforce shortages. The AHA has also strongly recommended financial incentives and qualifying grants to be made available to healthcare providers to support the implementation of cybersecurity technology and best practices, such as those detailed in the NIST guidelines and the HICP.

Greater support is required from the federal government for victims of cyberattacks

The AHA points out that many cyberattacks on the healthcare industry are either associated with or supported by nation-states, and as such, they are a national security issue, so the burden of defending against these attacks should not be shouldered solely by private sector organizations. The AHA has called for the federal government to consider ways to provide additional guidance and support to healthcare organizations that are victims of cyberattacks, especially to help them recover quickly, just like the federal government provides support to victims of terrorist attacks.

Help protect healthcare R&D and related intellectual property

The AHA supports tackling threats to healthcare IP through the existing Department of Justice Task Force on Intellectual Property, and for guidance to be released for industry and academia on evaluating the potential economic impact, reputational damage, loss of intellectual property, and other cybersecurity risks for health care research and development, and recommendations should be provided on how to best combat these threats. The AHA has also recommended small and rural research institutions be considered when drafting new guidance. The AHA has previously proposed a methodology that should be considered, which is based on four steps: educate, catalog, classify, and control.

NIST should release healthcare-specific guidance

The AHA says the NIST Cybersecurity Framework has been hugely beneficial for the healthcare industry but has recommended NIST further integrate healthcare cybersecurity subject matter experts into the development of its work products, and to release products and guidance focused on the healthcare industry. Since many healthcare organizations lack the financial resources to implement the NIST CSF, the AHA recommends offering financial incentives and qualifying grants to help them implement appropriate cybersecurity technology and the best practices outlined in the NIST CSF.

Modernize HIPAA to better address healthcare cybersecurity

While a new regulatory framework could be implemented to improve healthcare cybersecurity, the AHA says this is likely to be problematic. Instead, the AHA recommends modernizing HIPAA to address the current cyber threat landscape. The AHA has also called for the HHS to provide model language that can be used to help healthcare providers explain to patients the risks associated with accessing their health data through an app and to expand HIPAA to cover software applications and consumer devices that collect health information, to ensure they comply with the same privacy and security standards.

Support for workforce development programs and student loan forgiveness

The AHA supports the development and promotion of workforce training programs in cybersecurity and the funding of targeted internships or other programs to place cybersecurity professionals in small and rural facilities. The AHA supports student loan forgiveness and suggests that in order to qualify, workers should serve consistently for at least three years in a primary cybersecurity role in small and rural hospitals.

Create an incentive program to improve healthcare providers’ cybersecurity capabilities

AHA has expressed support for ensuring appropriate minimum cyber hygiene practices are adopted but says the Medicare Conditions of Participation (CoPs) and Conditions of Coverage (CoCs) are not the ideal places for monitoring minimum cybersecurity practices. While CoPs and CoCs are enforced by surveyors from either state agencies or contracted accrediting bodies, the surveyors are not necessarily cybersecurity experts. Further, the CoPs and CoCs are not updated frequently enough to reflect changes in cyber hygiene practices, and making frequent changes would require extensive resources and could result in confusion and distrust of the integrity of the CoPs.

Address the issue of insecure legacy systems

The AHA has called for manufacturers of legacy devices to provide a secure environment to ensure safe patient care, including wrapping security precautions around these devices and adding security tools and auditing capabilities. Regular updates and patches should be provided for all software, and vulnerabilities should be communicated rapidly. The FDA should also make it clear that security updates are required, not optional. The AHA also supports the provision of a software bill of materials to help healthcare organizations manage the security of their devices and confirmed it supports the PATCH Act, which Congress should pass.

Address the cost of cybersecurity improvements

Updating technology to improve cybersecurity comes at a considerable cost to healthcare providers. One way to support healthcare organizations financially would be to make sure that Medicare and Medicaid fixed payments accurately reflect the cost of care. Many hospitals rely on these payments, but they are often less than the cost of providing care. The AHA warns that now is not the time to make cuts to these payments.

Support recovery from cyberattacks and establish a disaster relief program

The AHA has called for the strategic national stockpile (SNS) to be augmented with common equipment needed by hospitals facing cyberattacks and to include specialized cybersecurity resources for cyberattacks in the SNS for healthcare organizations, as hospitals are considered part of the critical infrastructure of the nation. The AHA also supports the creation of a cyber disaster relief program that provides financial, technical, and human resources during and post-attack, and for the government to create a reinsurance program to assist victims of high-impact cyberattacks, akin to victims of international terrorist attacks.

CHIME & AEHIS Feedback on Cybersecurity is Patient Safety White Paper

CHIME and AEHIS have applauded the efforts of Sen. Warner and his commitment to highlighting and ameliorating the patient safety and national security risks posed to the healthcare sector by cyberattacks and calls for Congress to act now to improve the security of the healthcare sector. Feedback has been provided on several issues and policy changes outlined in the white paper, the key suggestions are detailed below.

Address funding challenges

CHIME/AEHIS recommend Congress increase funding for the HHS for cybersecurity for each of ASPR, HC3, and the 405(d) program, create a grant program specifically for small, medium, and under-resourced providers to help them make rapid improvements to cybersecurity, and to create a voluntary incentive program for healthcare providers to offset investments in cybersecurity. CHIME/AHGIS agree with the suggested ‘cash for clunkers’ program, but says this should be for healthcare providers, not device manufacturers.

405(d) program

CHIME/AEHIS believe the ASPR should remain the SRMA and the 405(d) program should continue to support the sector’s joint public-private partnership in developing best practices and other tools to improve the sector’s cybersecurity posture, and recommends the HHS engage in more education efforts and use the CMS as an outreach channel to improve awareness and education about 405(d) and other free federal resources on cybersecurity.

Penalties and incentives

CHIME/AEHIS have made several suggestions about penalties and incentives, recommending the latter is a better strategy than punitive actions. Like the AHA, CHIME/AEHIS advise against using CoPs to drive the adoption of cybersecurity best practices, saying this should be avoided at all costs. CHIME/AEHIS also propose a reduction in OCR penalties for victims of cyberattacks, and not to force under-resourced providers to shoulder the entire burden of cybercrimes.

There should also be a greater emphasis on unmasking, charging, and prosecuting cybercriminals, and punishments for individuals who attack the healthcare sector should be increased. CHIME/AEHIS also suggest a broadening of the types of technology eligible for donation under Stark and Antikickback policies, and prohibit donor recipients from taking legal action against their donor in the event of a cyber incident.

Incentives should include establishing a cybersecurity incentive program to the 405(d) Program’s best practices as detailed in HICP, to recognize and reward HCIP best practices, and for funding to be prioritized for small, medium, and under-resourced providers, as well as providers who were not eligible for electronic health record (EHR) incentives. CHIME suggests the CMS should oversee the cybersecurity incentive programs.

Medical device security

CHIME/AEHIS are supporters of the PATCH Act and strongly recommend Congress pass this legislation to give the FDA greater oversight of medical device manufacturers, they also suggest the FDA should be authorized to issue legally binding regulations and that the 2017 Task Force should be reconvened to develop a plan to prioritize the medical devices that are eligible for a replacement program.

Several recommendations have been made concerning medical device manufacturers, including prohibiting the sale of devices with software that is no longer supported or at end-of-life, supporting devices to ensure they are not sunsetted, directly notifying providers about software updates, vulnerabilities, and patches, and as per the PATCH Act, to ensure a software bill of materials is provided.

Patient privacy

CHIME/AEHIS recommend the FDA and OCR better align their guidance and enforcement activities, specifically to ensure that medical device manufacturers are meeting their obligations as HIPAA business associates. While the AHA recommends an update to HIPAA, CHIME/AEHIS suggest a new national privacy law be created covering non-HIPAA-covered health data, and until such a privacy law is passed, app developers must inform consumers about how their health data is being used. They also call for the FTC to be provided with sufficient funding to enforce the Health Breach Notification Rule.

Cyber insurance

CHIME/AEHIS suggest greater insight is needed for private cyber insurance carriers, and the government should establish a catastrophic cyber insurance program to help healthcare providers offset the extremely high costs of cyberattacks. That program would also serve as a backstop for providers that have been unable to obtain cyber insurance coverage on the open market.

Workforce shortages

To address the current workforce shortage in cybersecurity, a federal workforce development program should be created, access should be given to free cyber training under the Regional Extension Centers (RECs) model, and student loan forgiveness programs should be established for individuals taking on cybersecurity roles in healthcare.

The post Industry Groups Provide Feedback on Sen. Warner’s ‘Cybersecurity is Patient Safety’ White Paper appeared first on HIPAA Journal.

The security of medical devices is one of the biggest cybersecurity concerns in healthcare. Hospitals continue to add more connected medical devices and by doing so they significantly increase the attack surface. One recent survey found a strong link between the number of connected medical devices at medical practices and the number of cyberattacks they experience. Connected medical devices often have vulnerabilities that can be exploited, and provide hackers with an easy way to gain access to healthcare networks.

New legislation is being considered to force healthcare organizations to make medical device security a priority and to require the manufacturers of medical devices to do more to ensure the security of their devices for their entire lifecycle. For example, the Protecting and Transforming Cyber Health Care (PATCH) Act seeks to amend the Federal Food, Drug, and Cosmetic Act by requiring cybersecurity measures to be included in premarket submissions to demonstrate the safety and effectiveness of the devices throughout the product’s entire lifecycle.

Until new legislation is introduced, healthcare organizations need to make medical device cybersecurity a priority, but many find improving security a challenge. To make that process easier, the cybersecurity company Ordr, a leader in connected device security, has published a maturity model that serves as a framework to help healthcare organizations evaluate the security of their medical devices, benchmark their connected device security efforts, and develop an effective strategy for improving the strength of their security program.

The guidance document – A Practical Guide to Implementing Connected Device Security for Healthcare Organizations – helps healthcare organizations understand their current level of security maturity and identify where they need to focus their efforts to make improvements. The guide includes five levels of maturity, states the business value that can be achieved at each of the five stages, and provides recommended actions and insights to help security teams focus their efforts on the journey to zero trust.

The first stage is asset visibility – In order to secure medical devices, a healthcare organization must know where these devices are, the firmware versions they are running, and all software associated with the devices, so a complete, accurate, and up-to-date inventory must be maintained. The second stage concerns vulnerability and risk management. Healthcare organizations at this stage have combined device vulnerability insights, established device behavior baselines, reviewed external threat intelligence, and have a comprehensive view of the attack surface to guide their security efforts.

The third stage is reactive security, which is using the insights gained and the risk-based view identified in the previous stages to prioritize risk mitigation. The fourth stage is proactive security, involving automating policies and workflows to ensure threats can be rapidly detected and mitigated and implementing zero trust segmentation.  The final stage is optimized security, where all previous security efforts are expanded and optimized with automation and zero trust security policies are fully implemented.

“Organizations cannot expect to reach the Optimized Security stage instantly. Each stage establishes critical capabilities, builds upon previous stages, and creates value on the journey to Zero Trust,” Brad LaPorte, author of the guide and former Gartner cybersecurity analyst. “No matter where you are on this journey and what your ultimate goal is, this guide provides essential insights to understanding your security posture – and what is needed to improve.”

The post Guide Released for Assessing and Improving Connected Medical Device Security appeared first on HIPAA Journal.

The medical Internet of Things (IoT) is helping to improve efficiency and make healthcare more patient-centric; however, as hospitals increase the number of networked medical devices, the attack surface increases, giving malicious actors more opportunities to conduct attacks.  Connected devices with IoT sensors such as insulin pumps, defibrillators, and glucose monitors often have vulnerabilities that can be exploited. Part of the problem is medical devices are developed to perform important functions, but security is an afterthought. The devices are often highly vulnerable to cyberattacks and can be difficult to secure. If a malicious actor exploits those vulnerabilities, they will be able to gain a foothold in the network, access sensitive patient data, and potentially make changes to the devices and endanger patients.

Capterra recently conducted a survey on 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the Internet were experiencing more cyberattacks.  75% of surveyed healthcare practices said they have experienced a cyberattack and 41% said they have experienced multiple attacks. The survey confirmed that these attacks usually negatively affect patients. The survey also found 67% of healthcare cyberattacks involved patient data and violated patient privacy and almost half (48%) had an impact on patient care. Only 10% of cyberattacks had no impact on patient care or patient data.

The survey found that medical practices that had a higher percentage of networked or Internet-connected medical devices were experiencing more cyberattacks than medical practices with a low percentage of connected medical devices.  83% of medical practices that had 70% or more of their medical devices connected to the Internet had experienced one or more cyberattacks, compared to 74% that had 51%-70% of connected devices, and 67% that had 50% or fewer of their devices connected to the Internet.

Medical practices that have more than 70% of their medical devices connected to the network were 24% more likely to experience a cyberattack than practices that had just 50% or fewer connected devices and were 52% more likely to experience multiple cyberattacks. 40% of surveyed medical practices said they had between 51% and 70% of their medical devices connected to the Internet and 34% have more than 70% of their devices connected to the Internet. Only 26% of medical practices said half of fewer than 50% of their medical devices were connected to the Internet.

53% of surveyed healthcare IT staff said they believe the current cybersecurity threat level is high or extremely high, but despite the threat of cyberattacks, many healthcare organizations are failing to secure their connected medical devices. 57% of healthcare IT staff said they do not change the default username and password on their devices, even though the default usernames and passwords can easily be found online. 82% of healthcare organizations run their medical devices on outdated Windows systems, and 68% of healthcare IT staff said they do not always update the firmware on the devices when patches are made available.

“As a healthcare organization connects more medical devices to its network, its attack surface expands,” says Zach Capers, senior security analyst at Capterra. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”

Healthcare organizations need to be proactive and improve medical device security, which means conducting routine vulnerability assessments before connecting any medical devices to the network, maintaining an accurate inventory of all medical devices and the software and firmware associated with those devices, and monitoring for firmware updates and patches and ensuring that they are applied promptly when they are released.

The post Medical Practices with a High Percentage of Connected Medical Devices Experience More Cyberattacks appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint cybersecurity advisory about Cuba Ransomware and have shared details of the tactics, techniques, and procedures (TTPs) used by the group, along with Indicators of Compromise (IoCs) to help network defenders improve their defenses against attacks and rapidly detect computer intrusions. The Health Sector Cybersecurity Coordination Center says the group poses a significant threat to the healthcare and public health sector.

The Cuba ransomware group has increased attacks in the United States, with attacks doubling since December 2021, and ransom payments are also on the rise. Globally, more than 100 organizations have been targeted by the gang and more than $145 million in ransom demands have been issued, with the group known to have received at least $60 million in ransom payments. The group targets critical infrastructure organizations, with at least 65 critical infrastructure entities known to have been attacked in the United States, including those in healthcare and public health, government facilities, financial services, critical manufacturing, and information technology.

According to CISA and the FBI, there are similarities between the infrastructure used by the Cuba ransomware operation and the RomCom RAT and Industrial Spy ransomware actors. The group uses RomCom for command and control of the ransomware and sells stolen data through the online market used by the Industrial Spy actors if victims refuse to pay the ransom.  In one attack, The Cuba ransomware gang deployed the RomCom RAT on the network of a healthcare company, suggesting strong links between these three groups. The group is also known to use a dropper that was signed using the same certificate that was found in the LAPSUS NVIDIA data leak.

The Cuba ransomware group uses a variety of methods to gain initial access to victims’ networks, including exploiting vulnerabilities in unpatched commercial software – including CVE-2022-24521 (Windows Common Log File System), CVE-2020-1472 (ZeroLogon), phishing, compromised credentials, and remote desktop protocol (RDP) tools. Once access is gained, the ransomware is distributed using a loader called Hancitor, which is also used for dropping information stealers RATs, and other malicious payloads. Before encrypting files, the group exfiltrates data to pressure victims into paying the ransom demands.

CISA and the FBI previously issued a security advisory about the group in December 2021; however, the group has modified its TTPs, which have been included in the latest security alert along with IoCs, MITRE ATT&CK techniques, and recommended mitigations.

The post Healthcare Sector Warned About Cuba Ransomware Attacks appeared first on HIPAA Journal.

There was a slight downturn in ransomware attacks in Q3, although it is too early to tell if that downward trend will continue. Even with the reduction in attacks, ransomware is still the biggest cyber threat faced by organizations, and the attacks are among the costliest cybersecurity incidents to mitigate. Attacks on the healthcare industry continue to be conducted in high numbers, with several groups targeting the sector, even though the attacks have the potential to result in loss of life.

Guidepoint Security’s Research and Intelligence Team (GRIT) has been tracking the activity of ransomware gangs and identified 27 active ransomware groups in Q3, a slight decrease from Q2 when there were 30 groups conducting attacks. In Q3, there were 568 publicly posted ransomware victims – a 2.2% decrease from the 581 victims publicly posted in Q2. In Q3, new victims were publicly posted at a rate of 6.24 per day. Of course, there are some caveats with these findings. Some ransomware groups do not add all of their victims to their data leak sites, and some offer not to publicly release any information about an attack if the ransom is paid promptly. That said, figures published by the ransomware remediation firm Coveware indicate the number of organizations paying ransoms is declining.

The report shows that the ransomware threat is greatest in the United States, which is the most targeted country with 38.9% of total victims, followed by France (6.2%), and the United Kingdom (5.6%). Attacks in Spain increased significantly in Q3, which saw the country rise to 4^th spot with 4.9% of attacks. Attacks are also being conducted more widely, with 16 countries targeted for the first time this year in Q3, and 6 of those countries targeted for the first time ever.

The most prolific ransomware groups in Q3 were LockBit, BlackBasta, Hive, AlphV, Bianlian, and Vice Society, with LockBit by far the most prolific operation. LockBit is known to target the healthcare sector, and a warning about the group was recently issued by the Health Sector Cybersecurity Coordination Sector (HC3). The group increased the number of attacks in September compared to the previous two months, and accounted for 42% of all publicly posted victims, increasing from 211 victims in Q2 to 235 in Q3.

Blackbasta was the second most prolific group and there was a 32% increase in victims in Q3, with Hive in third place with attacks increasing by 104% in the quarter. A warning was also issued by HC3 about Hive recently. Hive actively targets the healthcare industry, with 12.8% of its victims in the healthcare and public health (HPH) sector – twice the percentage of HPH sector victims as LockBit. While the healthcare industry is actively targeted by several ransomware groups such as LockBit and Hive, some choose not to attack the sector. Even so, the industry ranked third in terms of victim count in Q3, with LockBit, Hive, and BianLian claiming the highest number of victims. Manufacturing ranked first for publicly posted victims, with technology ranking second.

So far this year, 44 ransomware groups have been observed conducting attacks, and there have been 1,846 publicly posted victims. 8 new ransomware operations emerged in Q3, including Sparta, which made the top 10 in terms of the number of victims. The group has so far conducted all of its attacks on organizations in Spain. Combined, two previously highly active groups, Vice Society and Quantum, decreased attacks by 48% and 57% respectively in Q3.

The post Healthcare Ransomware Threat High Despite Slight Downturn in Attacks in Q3 appeared first on HIPAA Journal.

The healthcare and public health sector (HPH) has been warned about the threat of ransomware attacks by the Lorenz threat group, which has conducted several attacks in the United States over the past two years, with no sign that attacks are slowing.

Lorenz ransomware is human-operated and is deployed after the threat actors have gained access to networks and have exfiltrated data. Once access to the network is gained, the group is known to customize its executable code and tailor it for each targeted organization. The Lorenz actors maintain persistence and conduct extensive reconnaissance over an extended period of time before deploying ransomware to encrypt files. The group engages in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and ransom demands are issued to prevent the sale or publication of that data, in addition to payment being required to obtain the keys to decrypt files.

Many ransomware threat actors steal data and threaten to publish the stolen files on a data leak site if the ransom is not paid. The process used by Lorenz is somewhat unique. If after attempting to engage with a victim the ransom payment is not forthcoming, the group attempts to sell the stolen data to other threat actors and competitors. If the ransom is still not paid, Lorenz publishes password-protected archives containing the stolen data on its data leak site. If the group is unable to monetize the stolen data, the passwords for the archives are then published, which allows anyone to access and download the stolen data. There have been cases where the group has maintained access to victims’ networks and has sold that access to other threat groups.

Lorenz engages in big game hunting, most commonly targeting large organizations, with the ransom demands typically in the range of $500,000 to $700,000. There have been no known attacks on non-enterprise targets, and the majority of victims have been English-speaking. In contrast to most other ransomware gangs, relatively little is known about this group. Methods known to have been used by the group to gain initial access to victims’ networks include phishing, compromising remote access technologies such as RDP and VPNs, exploiting unpatched vulnerabilities in software and operating systems, and conducting attacks on managed service providers (MSPs), and then pivoting to attack MSP clients.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, known Indicators of Compromise, and other resources that can be used by network defenders to improve their defenses against Lorenz ransomware attacks.

The post HPH Sector Warned About Lorenz Ransomware Group appeared first on HIPAA Journal.

The Hive ransomware-as-a-service (RaaS) operation first emerged in June 2021 and has aggressively targeted the health and public health sector (HPH) and continues to do so. From June 2021 until November 2022, the group conducted attacks on more than 1,300 organizations worldwide, generating more than $100 million in ransom payments.

Victims in the HPH sector include the public health system in Costa Rica, Partnership HealthPlan of California, Memorial Health System, Missouri Delta Medical Center, Southwell, Hendry Regional Medical Center, and Lake Charles Memorial Health System, with the latter currently recovering from the attack that occurred this month. The attacks put patient safety at risk and have forced hospitals to divert ambulances, cancel surgeries, postpone appointments, and close urgent care units.

On November 17, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint alert to the HPH sector warning about the risk of attacks and shared Indicators of Compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) used by the group, along with recommended mitigations for blocking, detecting, and mitigating attacks.

Hive has sophisticated capabilities, engages in double extortion tactics, and publicly releases stolen data on its leak site when victims refuse to pay the ransom. The group has been known to reinfect victims that have attempted to recover without paying the ransom. As a RaaS operation, affiliates are recruited to conduct attacks on behalf of the gang for a cut of the ransom payments they generate, with the affiliates having areas of expertise for gaining access to victims’ networks.

The most common methods used for initial access are exploiting vulnerabilities in Remote Desktop Protocol (RDP) and other remote network connection protocols, compromising Virtual Private Networks (VPNs), conducting phishing attacks using malicious attachments, and exploiting unpatched vulnerabilities, including the CVE-2020-12812 vulnerability to access FortiOS servers, and the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, CVE-2021-34523.

Once access to networks has been gained, the group identifies processes related to backups, antivirus/anti-spyware, and file copying, and terminates those processes. Volume shadow copy services are stopped and all existing shadow copies are deleted, and Windows event logs are deleted, specifically the System, Security, and Application logs. Prior to encryption, virus definitions are removed and all portions of Windows Defender and other common antivirus programs are disabled in the system registry, and sensitive data is exfiltrated using Rclone and the cloud storage service Mega.nz. The group operates a live chat service to engage with victims and has also been known to contact victims by phone and email to discuss payment. Ransom demands can be considerable, ranging from several thousand to millions of dollars.

Healthcare organizations are urged to read the joint security alert, monitor their systems using the provided IoCs, harden defenses against the identified TTPs, and implement the recommended mitigations.

The post Feds Issue Warning to HPH Sector About Aggressive Hive Ransomware Group appeared first on HIPAA Journal.