The prolific LockBit ransomware-as-a-service (RaaS) group has been severely disrupted by a global law enforcement operation that has seen much of the group’s infrastructure seized, including servers, its affiliate portal, Tor sites, Stealbit data exfiltration tool, public-facing data leak site, and more than 200 cryptocurrency wallets. Two individuals who conducted attacks using LockBit ransomware have been arrested in Poland and Ukraine, and they will be extradited to the United States to face trial. The French and U.S. judicial authorities have also issued three international arrest warrants and five indictments. More than 1,000 decryption keys were obtained and a free decryptor for LockBit 3.0 has been created and made available on the No More Ransom portal. The seizure of the cryptocurrency wallets means it might be possible for victims to recover some of the ransoms they paid.

LockBit was branded the world’s most harmful cybercrime group by the UK’s National Crime Agency (NCA). The RaaS group has been active for the past four years and has targeted thousands of organizations around the world, and in Q3, 2023 alone the group added 275 new victims to its data leak site. The group has conducted many attacks on critical infrastructure entities, including healthcare organizations, and the attacks have caused billions of dollars of losses. According to the Department of Justice, the group conducted attacks on more than 2,000 victims, issued ransom demands of hundreds of millions of dollars, and had been paid at least $120 million.

Law enforcement agencies in 10 countries participated in “Operation Cronos,” which was headed by the NCA and coordinated by Europol and Eurojust. The operation commenced in April 2022 and has resulted in 34 servers being taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, and more than 14,000 rogue accounts have been identified and referred for removal by law enforcement. The accounts were used by LockBit members for hosting tools and software used in attacks and for storing data stolen from victims.

The affiliate panel now displays a message for all affiliates from the NCA, FBI, Europol, and the Operation Cronos Law Enforcement Task Force. “Law enforcement has taken control of LockBit’s platform and obtained all the information on its servers. This information relates to the LockBit group and you, their affiliate. We have source code details of the victims you have attacked, the amount of money stolen, chats, and much, much more. You can thank LockBitSupp and their flawed infrastructure for this situation… we may be in touch with you very soon.”

LockBitSupp is the threat actor that controls the LockBit RaaS operation, with the LockBitSupp persona believed to be run by one or two individuals. The Russian-speaking threat actor claimed that the law enforcement operation exploited a critical PHP vulnerability, CVE-2023-3824, that was first disclosed in August 2023. The vulnerability leads to a stack buffer overflow, potential memory corruption, and remote code execution.

The takedown of the group’s infrastructure is significant and the extent of the data breach will be of concern to affiliates of the group, especially those that reside in locations where they can be reached by law enforcement. It is unlikely, however, that the core members of the group will be brought to justice as they are believed to reside in Russia. They may choose to rebuild and return with a new operation, as ransomware groups typically do following law enforcement disruption.

“A vast amount of data gathered throughout the investigation is now in the possession of law enforcement,” explained Europol. “This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities.”

The U.S. Department of State is also offering a reward of up to $15 million via the Transnational Organized Crime Rewards Program for anyone with information about LockBit associates, including a reward of up to $10 million for information leading to the identification or location of any individual who holds a leadership role in the LockBit operation, and a reward offer of up to $5 million for information that leads to the arrest and/or conviction of any individual conspiring to participate in or attempting to participate in LockBit ransomware activities.

The post International Law Enforcement Operation Takes Down LockBit RaaS Infrastructure appeared first on HIPAA Journal.

Healthcare organizations that have been unable to recover files that were encrypted in Rhysida ransomware attacks may now be able to recover the files for free as a decryptor has been released.

Rhysida is a ransomware-as-a-service operation that emerged in May 2023. Like many emerging ransomware groups, attacks have been conducted on U.S. healthcare organizations. In August 2023, following attacks on the healthcare and public health sector, the HHS’ Health Sector Cybersecurity Coordination Center issued an alert about the group. In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory and shared indicators of compromise and mitigations.

Organizations that were unable to prevent attacks and chose not to pay the ransom may now be able to recover their encrypted files. Researchers in South Korea identified an encryption flaw in the encryptor used by Rhysida ransomware, which has allowed them to develop a Windows decryptor. The random number generator (CSPRNG) used to generate a unique private encryption key was flawed, which allowed them to determine the initial state of CSPRNG during an attack. Since the method used does not include high entropy data sources, the seed value used when encrypting files is predictable. Knowing the initial CSPRNG state and then reviewing logs and other data at the time of the infection allowed the researchers to identify a range for the seed value. The decryptor tries potential seed values until it finds the correct value and from there it is possible to determine all random numbers used to encrypt files and recover all locked data.

An automated decryption tool was developed and has been made available free of charge on the Korean Internet & Security Agency (KISA) website along with a technical paper in English and Korean that explains how to use the decryptor. The decryptor can only be used to recover files that have been encrypted using the Rhysida Windows encryptor. Several cybersecurity firms had already found the flaw and were able to recover files encrypted by Rhysida. Unfortunately, now that the flaw has been made public, the ransomware developer is likely to fix it. When that happens, recovery of files will only be possible from backups or by paying the ransom.

The post Free Decryptor Released for Rhysida Ransomware appeared first on HIPAA Journal.

A bipartisan Senate bill has been introduced that aims to improve healthcare cybersecurity and ensure that the Department of Health and Human Services (HHS) is implementing effective cybersecurity measures to combat evolving cyber threats. In 2023, record numbers of healthcare records were compromised, and more data breaches were reported than in any other year to date. More than 133 million healthcare records were compromised in 2023 across more than 725 reported breaches, the majority of which were hacking incidents.

Healthcare organizations must ensure that they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which sets minimum standards for cybersecurity. The HHS is the main enforcer of compliance with the HIPAA Rules and issues guidance on healthcare cybersecurity. The HHS also manages the health data of approximately 65 million Americans who receive healthcare services through Medicare. As such, it is vital that the cybersecurity measures at the HHS are robust and capable of defending against evolving cyber threats.

The Strengthening Cybersecurity in Health Care Act was introduced by Senator Angus King (I-MA), Co-Chair of the Cybersecurity Solarium Commission and a member of the Senate Armed Services (SASC) and Intelligence Committees (SSCI), and Senator Marco Rubio (R-FL) and takes aim at the HHS and the cybersecurity protocols and practices that the HHS has introduced to combat evolving cyber threats.

“In recent years, several of Maine’s major healthcare providers have been the victims of cyberattacks. This threat to America’s critical infrastructure is real, and could literally mean the difference between life and death — we must take proactive steps to enhance the cybersecurity of our healthcare and public health sectors,” said Senator King. “The bipartisan Strengthening Cybersecurity in Health Care Act would help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

The Strengthening Cybersecurity in Health Care Act requires the Inspector General of the HHS to evaluate the cybersecurity practices and protocols of the HHS. At least every two years, cybersecurity reviews and penetration tests should be conducted on HHS IT systems, and biennial reports should be submitted to Congress on the current cybersecurity practices at the HHS and its progress on future security practices that it is working on.

The post Bipartisan Bill Aims to Ensure the HHS is Implementing Effective Cybersecurity Measures appeared first on HIPAA Journal.

An amended Federal Trade Commission (FTC) complaint against the data broker Kochava has survived a motion to dismiss. Idaho District Court Judge, B. Lynn Winmill, dismissed the first FTC complaint in May 2022 as the FTC failed to establish that the business practices of Kochava constituted a substantial injury to consumers. In dismissing the complaint, Judge Winmill permitted the FTC to file an amended complaint, which the FTC did in June 2023.

In its complaints, the FTC accused Kochava of invading consumers’ privacy and exposing them to risk by selling their precise geolocation information and other sensitive data to third parties. Geolocation data reveals consumers’ visits to sensitive locations such as abortion clinics, places of worship, addiction treatment facilities, and shelters for survivors of domestic abuse. The FTC explained in its complaint that Kochava obtains sensitive data from other data brokers and does not interact directly with consumers; however, the data amassed by Kochava and sold through its Kochava Collective product is highly granular and contains detailed information about the precise movements of consumers.

The precise geolocation information is obtained from mobile phones which are associated with a persistent and individual identifier. The geolocation data includes consumers’ movements over days, weeks, months, or even years and is accurate to a few meters. As such, it is possible to tell which buildings consumers are in, and in some cases, even the room they are in. The data sold by Kochava directly links to the geolocation data and can include information such as names, addresses, email addresses, and phone numbers. Kochava also collects and sells enormous amounts of additional private and sensitive information of consumers.

Kochava sells data in different forms in the Kochava Collective, which includes precise geolocation data, comprehensive profile of individual consumers (database graph), tracking consumers’ uses of mobile apps (App Graph), and audience segments, which categorize consumers based on identified sensitive and personal characteristics and attributes. The FTC explained in the amended complaint that Kochava’s customers can and do purchase that data and provided an example of the level of detailed information that can be purchased. “Kochava’s data identifies, for example, a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” The FTC said Kochava makes it clear to potential buyers that the purpose of the Kochava Collective is to sell this level of granular consumer data.

The FTC alleges the sale of this information harms consumers in two ways. Consumers are put at risk of suffering secondary harms such as discrimination, stigma, emotional distress, and physical violence, and secondly, it invades their privacy. While the initial complaint failed to sufficiently allege a substantial injury, Judge Winmill ruled that the FTC included sufficient facts in its amended complaint to support both types of harm and the detail was sufficient to satisfy the liberal plausibility standard that the alleged practices of Kochava may violate Section 5 of the FTC Act which covers unfair business practices.

While Kochava’s motion to dismiss was denied, the company still believes that it will prevail. A spokesperson for Kochava said, “Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.” Prior to the FTC complaint being filed, Kochava had already implemented measures to protect consumer privacy, including implementing the Privacy Block feature, which blocks geolocation data from sensitive locations such as those stated in the FTC complaint.

The FTC has been pursuing data brokers over the sale of sensitive data to third parties and recently announced settlements with X-Mode Social/Outlogic and InMarket Media, which the FTC claims have put companies on notice that the period of unchecked monetization and surveillance of consumers’ sensitive data is over.

The post FTC’s Amended Complaint Against Kochava Survives Motion to Dismiss appeared first on HIPAA Journal.

The Government Accountability Office (GAO) has found that most federal agencies that manage risk for critical infrastructure sectors have assessed or plan to assess risks associated with ransomware, but they have not gauged the use of leading cybersecurity practices nor determined whether federal support has effectively managed risks in critical infrastructure sectors. Ransomware attacks have increased over the past few years and organizations in critical infrastructure sectors are being extensively targeted. According to the Department of the Treasury, the total value of ransomware attacks in the United States reached $886 million in 2021, up 68% from the previous year. Many of the attacks have been on healthcare organizations and have negatively affected patients by causing delays in treatment and diagnosis.

According to the Federal Bureau of Investigation (FBI), 870 critical infrastructure organizations were affected by ransomware attacks in 2022 and almost half of those attacks were on four critical infrastructure sectors – critical manufacturing, energy, healthcare and public health, and transportation systems. In February 2022, the National Institute of Standards and Technology (NIST) developed a framework for managing ransomware risk, which can be used by organizations to identify and prioritize opportunities for improving security and resilience against ransomware attacks. What is unclear is the extent to which the security practices recommended by NIST to combat ransomware have been implemented across critical infrastructure sectors.

GAO conducted a study to assess federal agency efforts to oversee sector adoption of leading federal practices and evaluate federal agency efforts to assess ransomware risks and the effectiveness of the support they have provided. GAO analyzed documentation related to reporting, risk analysis, and mitigation strategies and compared those efforts to NIST guidance on cybersecurity specific to ransomware. GAO found that the assessed Sector Risk Management Agencies (SRMAs) do not have reliable data on the extent to which the NIST recommendations have been implemented, and until such time that they have that knowledge, the White House’s goal of improving critical infrastructure’s resilience to withstand ransomware threats will be more difficult to achieve.

Most of the SRMAs assessed by GAO had already assessed or plan to assess the risks of cybersecurity threats such as ransomware for their respective sectors, as required by law, but only half of the agencies had evaluated aspects of the support they provided in their respective sectors and none had fully assessed the effectiveness of that support. GAO has made 11 recommendations to the Department of Energy (DoE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), and Department of Transportation (DoT). GAO recommended the Secretaries of the DoE, HHS, DHS, and DoT should coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) and determine the extent to which their sectors are adopting leading cybersecurity practices to combat ransomware. They should also develop and implement routine evaluation procedures that measure the effectiveness of federal support in helping reduce the risk of ransomware in their respective sectors.

The HHS agreed with the recommendations and believes that it has already met one of the recommendations, as it conducted an initial evaluation of the sector’s adoption of cybersecurity practices through prior efforts, such as its April 2023 Hospital Resiliency Landscape Analysis study to measure the adoption of recommended cybersecurity practices in hospitals, and it has developed a Risk Identification and Site Criticality Toolkit. GEO recognized the steps that have already been taken but said the HHS is not yet tracking the sector’s adoption of specific practices that reduce ransomware risk, therefore its recommendations still stand.

The post GAO: Federal Agencies Need to Enhance Oversight of Ransomware Practices appeared first on HIPAA Journal.

The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.

Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.

Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.

Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.

The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.

The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.

The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.

Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.

Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.

Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.

The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.

The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.

A new report from Chainalysis has revealed victims of ransomware attacks paid hackers $1.1 billion in 2023 to obtain the keys to unlock their data and to prevent the release of information stolen in the attacks. Last year was the first time that ransom payments exceeded $1bn and the annual total was a sizeable jump from the $567 million that was paid in 2022. These are also conservative figures, as the researchers are unaware of all of the cryptocurrency wallets used by ransomware gangs.

Ransom payments have been increasing each year but there was a fall in ransom payments in 2022, which dropped from $983 million in 2021 to $567 million in 2022. The researchers believe this anomaly is linked to the Russia-Ukraine war. Many hackers changed their operations from ransomware attacks to attacks focused on espionage and destruction on Ukrainian targets and those that did continue with ransomware found it harder to get paid as Western targets became concerned about sanctions risks, given that many ransomware groups are based in Russia.

In 2023, there was a shift back to ransomware attacks with ransomware actors choosing to attack high-profile institutions and critical infrastructure, including schools, hospitals, and government agencies and the attacks increased in scope and complexity. There were also mass extortion-only attacks by the Clop ransomware group on file transfer solutions such as GoAnywhere MFT and MOVEit, with Clop getting paid at least $100 million for the attacks that exploited the vulnerability in MOVEit.

Chainalysis has observed a trend for big game hunting, which has become the dominant strategy in recent years but there is considerable variety across the ransomware ecosystem with RaaS operations such as Phobos having low payments but making up for that with volume. These groups lower the entry barrier and make it easy for relatively low-skilled hackers to start conducting attacks.

Several trends were observed in 2023, including astronomical growth in the number of threat actors carrying out ransomware attacks. Recorded Future reported 538 new ransomware variants in 2023, which suggests the emergence of many new, smaller ransomware groups. There has also been a shortening of the dwell time, with ransomware deployed more rapidly after initial access, and ransomware groups have been developing more efficient and aggressive tactics.

There were some success stories in 2023 due to law enforcement operations, including the takedown of the Hive group and the disruption of Alphv. The FBI reports that it the Hive operation allowed it to provide the decryption keys to many victims, saving $130 million in ransom payments, although Chainalysis estimates the impact was far greater, with the disruption caused preventing an estimated $210.4 million in payments.

The post Ransom Payments Exceeded $1 Billion in 2023 appeared first on HIPAA Journal.

In the past year, more than 150 healthcare organizations have benefitted from alerts from the Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities and intrusions that have helped them to implement mitigations before harm has been caused. These alerts have helped victims of attacks avoid delays to patient care and saved millions of dollars in costs.

In March 2023, CISA launched its Pre-Ransomware Notification Initiative which sees alerts issued if vulnerabilities are detected that are known to be actively exploited by ransomware groups to allow organizations to take action to prevent the vulnerabilities from being exploited. There is a dwell time after vulnerabilities have been exploited before ransomware is deployed, which can be a few hours to a few days. If organizations are alerted about an attack in the early stages, it is possible to block the attack before data theft and file encryption. Since launching the pilot program in January 2023, CISA has sent more than 1,200 such notifications, including to 154 healthcare organizations about early-stage ransomware activity.

When CISA’s Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity, JCDC notifies the affected company and provides specific mitigation advice to help them rapidly respond. There have been cases where the advice has come after file encryption, and in those cases, JCDC has worked closely with the organizations to help them with their remediation efforts. One of the successes of this program was an early notification to a mass transport partner that prevented an estimated $350 million attack on critical transportation infrastructure.

In some cases, JDCD has been able to identify the exfiltrated data and provide detailed information about the intrusion to support the investigative and remediation efforts. In 2023, a Fortune 500 organization suffered a $60 million ransomware attack and CISA was able to help establish a CISO position and provided guidance to help it improve its IT infrastructure and security controls to better defend against future attacks.

The post CISA Pre-Ransomware Alerts Helped 154 Healthcare Organizations Save Millions in Costs appeared first on HIPAA Journal.