Healthcare Cybersecurity

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

Posted by HIPAA Journal

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers.

MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps.

The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery could result in diabetic ketoacidosis and even death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were already the subject of a product recall. Cybersecurity vulnerabilities had previously been identified in the pumps that could not be adequately mitigated through updates or patches.

The latest security issue has seen Medtronic expand the product recall to include all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been manufacturing or distributing the affected remote controllers since July 2018, but the devices are still used by certain patients, healthcare providers, and caregivers.

This is a Class 1 product recall – the most serious category – as the issues with the remote controllers could result in serious injury or death. The FDA says there have been no reported cases of the vulnerabilities in the devices being exploited to cause harm to patients.

The FDA says users should immediately stop using the affected remote controller, turn off the easy bolus feature, turn off the radio frequency function, delete all remote controller IDs programmed into the pump, disconnect the remote controller from the insulin pump, and return the remote controller to Medtronic.

The post Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability appeared first on HIPAA Journal.

Insider Threat Self-Assessment Tool Released by CISA

Posted by HIPAA Journal

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs.

In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm.

Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by insiders can be considerable due to the knowledge those individuals have about a business and the fact they are trusted and have privileged access to systems and sensitive data.

Large organizations are likely to have conducted risk assessments and put measures in place to mitigate insider threats. Small- and medium-sized businesses tend to have limited resources and may not have assessed their risk level and are most likely to benefit from using the new tool.

The tool consists of a series of questions that will establish the level of vulnerability to insider threats and will provide feedback to users to help them develop appropriate mitigations to guard against insider threats and reduce risk to a low and acceptable level.

“CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats.  Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future,” said CISA Executive Assistant Director for Infrastructure Security David Mussington.

The post Insider Threat Self-Assessment Tool Released by CISA appeared first on HIPAA Journal.

Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Posted by HIPAA Journal

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests training is lacking at many HIPAA-regulated entities.

The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report.

The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data.

Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile device being infected with malware, and 45% of respondents believe they do not need to implement additional cybersecurity safeguards because they do not work in the IT department.

Changing that thinking is one of the goals National Cybersecurity Awareness Month, which this year has the theme “Do Your Part. BeCyberSmart.” The aim of this initiative is to empower individuals and organizations to own their role in protecting their part of cyberspace, and that means all individuals, not only individuals in the IT department.

Security awareness training courses should explain cybersecurity best practices and teach employees how to practice good cyber hygiene in order to eliminate risky behaviors. It is also vital to teach employees how to identify and avoid phishing emails, and the procedures to follow if suspicious emails are received. Through training it is possible to reduce susceptibility to phishing emails and malware attacks and develop a security culture in an organization; however, that will only be achieved by providing continuous training to employees.

The healthcare industry ranked second highest behind government for continuous security awareness training in 2020. 59% of healthcare respondents said their employer continued to provide security awareness training throughout 2020; however, the survey revealed 24% of healthcare respondents said their employer had not provided any security awareness training.

Out of all industry sectors, healthcare employees were the least aware of social engineering threats such as phishing and business email compromise (BEC), with only 16% of healthcare employees saying they understood those threats very well.

If adequate training is not provided, employees cannot be expected to recognize and avoid threats and HIPAA-regulated entities will face a much higher risk of suffering costly data breaches. In the event of an audit or data breach investigation, if training is found to be lacking OCR may impose substantial financial penalties. The failure to provide any security awareness training is a clear violation of the HIPAA Security Rule and was one of the violations cited in OCR’s enforcement action against West Georgia Ambulance in 2019.

Regular security awareness training will ensure employees have the skills they need to identify and avoid cyber threats. KnowBe4 says when employees are provided with training once a month they are 34% more likely to believe clicking a link in an email is a risky behavior than employees that only receive training once or twice a year.

The survey also showed there is considerable confusion about the need for HIPAA compliance. 61% of respondents in healthcare knew that their organization was required to comply with HIPAA, but 19% said they were unsure. 20% said they knew or believed their organization was not a HIPAA-regulated entity. There was also uncertainty about the need to comply with other privacy and security regulations, with around half of respondents unsure if their organization had to comply with the California Privacy Rights Act, Family Educational Rights and Privacy Act (FERPA) and the EU’s General Data Protection Regulation (GDPR).

“That’s a problem. As with cybersecurity, employees are the last line in addressing privacy issues, and so they must know that privacy protections must be applied to the customer data they handle,” said KnowBe4 in the report. “The fact that such a large proportion of employees is simply not sure whether their employer is subject to various privacy regulations does not bode well for organizations’ ability to adequately process information that is subject to privacy regulation.”

The post Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training appeared first on HIPAA Journal.

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

Posted by HIPAA Journal

A medical malpractice lawsuit has been filed against an Alabama Hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack.

Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts.

Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.”

During the system downtime, Teiranni Kidd arrived at the hospital to have her baby delivered. Her baby was born on July 17, 2019 but tragically the umbilical cord had become wrapped around the baby’s neck resulting in severe brain damage. Following the birth, Kidd’s daughter Nicko was transferred to a neonatal intensive care unit. Due to the brain damage, Nicko required frequent oxygen supplementation, had to be fed through a gastrointestinal tube, and needed around the clock medical care. Nicko died 9 months later on April 16, 2020.

In January 2020, a lawsuit was filed in the Circuit Court of Mobile County, AL on behalf of Teiranni Kidd, as mother and next friend of Nicko Silar. The lawsuit alleges the hospital failed to inform the plaintiff about the cyberattack and outage, and had the hospital done so, she would have chosen a different hospital for labor and delivery.

The lawsuit alleges physicians and nurses at Springhill Medical Center failed to conduct multiple tests prior to the birth which would have revealed the umbilical cord had wrapped around the baby’s neck and that those tests were not conducted due to the distraction caused by the ransomware attack.

The lawsuit alleges a wireless tracker used to locate medical staff was out of order, patient health records were inaccessible, and electronic systems that provided fatal tracing information were also not working. The lawsuit alleges patient information was not available at the nurses’ station and the only fetal monitoring information was a paper record at the patient’s bedside in the labor and delivery room.

“As a result, the number of healthcare providers who would normally monitor [the plaintiff’s] labor and delivery were substantially reduced and important safety-critical layers of redundancy were eliminated,” according to the lawsuit, which claims medical malpractice and wrongful death.

“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” according to the lawsuit.

The lawsuit alleges that as a proximate consequence of the non-disclosure of the attack and outage, the baby suffered “personal injuries and general damages, including permanent injury from which she died.” The hospital has denied any wrongdoing.

Following a ransomware attack, hospitals continue to provide medical services to patients in their care and follow their emergency protocols and switch to recording patient information on paper charts and conducting normally automated processes manually. It is common for emergency patients to be redirected to alternative facilities as a precaution while systems are restored and access to medical records is regained.

This is the first case where a ransomware attack is alleged to have resulted in a patient death, although it is not the only attack where patient safety has been put at risk. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report on healthcare ransomware attacks during the pandemic and confirmed the impact they have had on patient care and outcomes. “Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” explained CISA in the report.

Also, a recent survey on IT and IT security professionals at healthcare delivery organizations in the United States conducted by the Ponemon Institute on behalf of cybersecurity risk management firm Censinet revealed respondents believed ransomware attacks resulted in an increase in the length of patient stays in hospital, delays in testing, and an increase in medical complications. 22% of respondents believed there was an increase in patient mortality after a ransomware attack.

The post Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death appeared first on HIPAA Journal.

Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

Posted by HIPAA Journal

October is Cybersecurity Awareness Month; a full month where the importance of cybersecurity is highlighted, and resources are made available to help organizations improve their security posture through the adoption of cybersecurity best practices and improving security awareness of the workforce.

Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed.

The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training.

This year has the overall theme – “Do Your Part, #BeCyberSmart” – and is focused on communicating the importance of everyone playing a role in cybersecurity and protecting systems and sensitive data from hackers and scammers. Throughout the month, the National Cyber Security Alliance and its partners will be running programs to raise awareness of specific aspects of cybersecurity, with each week of the month having a different theme.

  • Week of October 4 (Week 1): Be Cyber Smart.
  • Week of October 11 (Week 2): Phight the Phish!
  • Week of October 18 (Week 3): Explore. Experience. Share.
  • Week of October 25 (Week 4): Cybersecurity First

Cybersecurity Awareness month kicks off with the theme of “Be Cyber Smart” in week 1, where cybersecurity best practices are highlighted to protect the vast amounts of personal and business data that are stored on Internet-connected platforms.

“This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” said the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Best practices being highlighted in week 1 are those that businesses and individuals should be implementing. They include always creating strong passwords, implementing multi-factor authentication on accounts, keeping software updated and patching promptly, and creating backups to ensure data can be recovered in the event of a ransomware attack or other destructive cyberattack.

“Since its inception, Cybersecurity Awareness Month has elevated the central role that cybersecurity plays in our national security and economy.  This Cybersecurity Awareness Month, we recommit to doing our part to secure and protect our internet-connected devices, technology, and networks from cyber threats at work, home, school, and anywhere else we connect online,” said, President Biden in a White House statement announcing the start of Cybersecurity Awareness Month. “I encourage all Americans to responsibly protect their sensitive data and improve their cybersecurity awareness by embracing this year’s theme: “Do Your Part.  Be Cyber Smart.”

Each week this month, HIPAA Journal will share information and resources based on the theme of the week that can be used to raise awareness of cybersecurity in your organization and improve your resilience to cyberattacks and privacy threats.

Be Cyber Smart – Your Role in Cybersecurity

Cybersecurity Basics – How to Secure Your Online Life

CISA – Cybersecurity Awareness Tip Sheets

The post Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart appeared first on HIPAA Journal.

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

Posted by HIPAA Journal

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions.

VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive targeted for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices.

Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050). In some cases, threat actors have been observed exploiting vulnerabilities in VPN solutions within 24 hours of patches being made available.

Earlier this year, the NSA and CISA issued a warning that APT groups linked to the Russian Foreign Intelligence Service (SVR) had successfully exploited vulnerabilities in Fortinet and Pulse Secure VPN solutions to gain a foothold in the networks of U.S. companies and government agencies. Chinese nation state threat actors are believed to have exploited a Pulse Connect Secure vulnerability to gain access to the networks of the U.S. Defense Industrial Base Sector. Ransomware gangs have similarly been targeting vulnerabilities in VPNs to gain an initial foothold in networks to conduct double-extortion ransomware attacks.

The guidance document is intended to help organizations select secure VPN solutions from reputable vendors that comply with industry security standards who have a proven track record of remediating known vulnerabilities quickly. The guidance recommends only using VPN products that have been tested, validated and included in the National Information Assurance Partnership (NIAP) Product Compliant List. The guidance recommends against using Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, which use non-standard features to tunnel traffic via TLS as this creates additional risk exposure.

The guidance document also details best practices for hardening security and reducing the attack surface, such as configuring strong cryptography and authentication, only activating features that are strictly necessary, protecting and monitoring access to and from the VPN, implementing multi-factor authentication, and ensuring patches and updates are implemented promptly.

The post NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security appeared first on HIPAA Journal.

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

Posted by HIPAA Journal

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack.

Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted.

While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents said their organization had suffered a ransomware attack, and out of those, 67% said they had one while 33% said they had more than one.

The study, which was sponsored by Censinet, involved a survey of 597 healthcare organizations including integrated delivery networks, community hospitals, and regional health systems. The cost of ransomware attacks on the healthcare industry had been determined in a previous Ponemon Institute survey, with the data presented in the IBM Security Cost of a Data Breach Report. In 2021, costs had risen to an average of $9.23 million per incident. The Censinet study sought to determine whether these attacks had a negative impact on patient safety while also seeking to understand how COVID-19 has impacted the ability of healthcare organizations to protect patient care and patient information from ransomware attacks.

COVID-19 introduced many new risk factors, such as an increase in remote working and new IT systems to support those workers. Patient care requirements increased, and COVID-19 caused staff shortages. The survey confirmed that COVID-19 has affected the ability of healthcare organizations to defend against ransomware attacks and other increasingly virulent cyberattacks. Prior to COVID-19, 55% of healthcare organizations said they were not confident they would be able to mitigate the risks of ransomware, whereas now, 61% of healthcare organizations said they are not confident or have no confidence in their ability to mitigate the risks of ransomware.

These attacks were found to be negatively affecting patient safety. 71% of respondents said ransomware attacks resulted in an increased length of stay in hospitals and 70% said delays in testing and medical procedures due to ransomware attacks resulted in poor patient outcomes. Following an attack, 65% of respondents said there was an increase in the number of patients being redirected to alternative facilities, 36% said they had increases in complications from medical procedures, and 22% said they had an increase in mortality rate after an attack.

One of the factors that has contributed to a higher risk of a ransomware attack occurring is the increased reliance on business associates for digitizing and distributing healthcare information and providing medical devices. On average, respondents said they work with 1,950 third parties and that number is expected to increase over the next 12 months by around 30% to an average of 2,541.

Business associates of healthcare organizations are being targeted by ransomware gangs and other cybercriminal organizations. Cybersecurity at business associates is often weaker than their healthcare clients, and one attack on a business associate could provide access to the networks of multiple healthcare clients.

Even though working with third parties increases risk, 40% of respondents said they do not always complete a risk assessment of third parties prior to entering into a contract. Even when risk assessments are conducted, 38% of respondents said those risk assessments were often ignored by leaders. Once contracts have been signed, over half (53%) of respondents said they had no regular schedule of conducting further risk assessments or that they were only conducted on demand.

Censinet recommends creating an inventory of all vendors and protected health information. It is only possible to ensure systems and data are secured if accurate inventories are maintained. Workflow automation tools are useful for establishing a digital inventory of all third parties and PHI records. These tools should also be used for creating an inventory of medical devices. Medical devices can provide an easy entry point into healthcare networks, so it is essential that these devices are secured. Only 36% of respondents said their organization knew where all medical devices were located, and only 35% said they were aware when those devices would reach end-of-life and would no longer be supported.

The report recommends conducting a thorough risk assessment of a vendor prior to entering into a contract, and then conducting periodic risk assessments thereafter and ensuring action is taken to address any issues identified. Further investment in cybersecurity is required specifically to cover re-assessments of high-risk third parties, as currently, only 32% of critical and high-risk third parties are assessed annually, and just 27% are reassessed annually.

The report also strongly recommends assigning risk accountability and ownership to one role, which will help to ensure an effective enterprise-risk management strategy can be adopted and maintained.

The post Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack appeared first on HIPAA Journal.

CISA and FBI Warn About Escalating Conti Ransomware Attacks

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about escalating Conti ransomware attacks. CISA and the FBI have observed Conti ransomware being used in more than 400 cyberattacks in the United States and globally.

Like many ransomware gangs, prior to deploying Conti ransomware the gang exfiltrates data from victims’ networks. A ransom demand is issued along with a threat to publish the stolen data if the ransom is not paid. The developers of Conti ransomware run a ransomware-as-a-service operation, where affiliates are recruited to conduct attacks. Under this model, affiliates usually receive a percentage of any ransoms they generate. Conti appears to operate slightly differently, where affiliates are paid a wage to conduct attacks.

A variety of methods are used to gain access to victims’ networks. Spear phishing emails are common, where malicious attachments such as Word documents with embedded scripts are used as malware droppers. Typically, a malware variant such as TrickBot or IcedID is downloaded which gives the attackers access to victims’ networks. The attackers then move laterally within the compromised network, identify data of interest, then exfiltrate the data before deploying the Conti ransomware payload.

Brute force attacks are often conducted to guess weak Remote Desktop Protocol (RDP) credentials, vulnerabilities in unpatched systems are exploited, and search engine poisoning has been used to get malicious sites appearing in the search engine listings offering fake software. Malware distribution networks such as Zloader have been used, and attacks have been conducted where credentials have been obtained through telephone calls (vishing).

CISA and the FBI have observed legitimate penetration testing tools being used to identify routers, cameras, and network-attached storage devices with web interfaces that can be brute forced and legitimate remote monitoring and management software and remote desktop software have been used as backdoors to maintain persistence on victim networks. The attackers use tools such as Windows Sysinternals and Mimikatz to escalate privileges and for lateral movement.

Vulnerabilities known to be exploited include ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and the vulnerabilities in Microsoft Windows Server Message Block that were exploited in the WannaCry ransomware attacks in 2017.

Because a variety of tactics, techniques, and procedures are used to gain access to victim networks, there is no single mitigation that can be implemented to prevent attacks. CISA and the FBI recommend the following mitigations to improve defenses against Conti ransomware attacks:

  • Use multi-factor authentication
  • Implement network segmentation and filter traffic
  • Scan for vulnerabilities and keep software updated
  • Remove unnecessary applications and apply controls
  • Implement endpoint and detection response tools
  • Limit access to resources over the network, especially by restricting RDP
  • Secure user accounts
  • Ensure critical data are backed up, with backups stored offline and tested to ensure file recovery is possible

The post CISA and FBI Warn About Escalating Conti Ransomware Attacks appeared first on HIPAA Journal.

Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attack

Posted by HIPAA Journal

The health and public health sector is facing an elevated risk of ransomware attacks by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation, according to the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services.

The BlackMatter threat group emerged in July 2021 shortly after the DarkSide and Sodinokibli/REvil ransomware gangs shut down their operations. The Russian speaking threat group is believed to originate in Eastern Europe and has conducted many attacks over the past couple of months in Brazil, Chile, India, Thailand, and the United States. The group also started leaking data stolen in attacks on its data leak site on August 11, 2021.

The threat group has mostly conducted ransomware attacks on companies in the real estate, food and beverage, architecture, IT, financial services, and education sectors, and while the ransomware gang has publicly stated it would not attack hospitals, critical infrastructure companies, nonprofits, government, and defense contractors, there is concern that attacks may still occur.

The threat group said in its sales pitch for affiliates that its ransomware incorporates the best features of the DarkSide, Lockbit 2.0 and Sodinokibi/REvil ransomware variants, and a technical analysis of the ransomware found several similarities between both DarkSide and Sodinokibi/REvil ransomware variants suggesting the gang has links with those operations.

BlackMatter said its affiliates are not permitted to attack hospitals, and should any hospital or nonprofit company be attacked, they can make contact and request free decryption. The threat group also said “We will not allow our project to be used to encrypt critical infrastructure that will attract unwanted attention to us.” There is of course no guarantee that an attack would not still occur nor that a free decryptor would be provided. As HC3 warmed, “these details are what BlackMatter claims to be, and may not be accurate,” and the DarkSide and Sodinokibi/REvil ransomware variants have both been used in attacks on the health and public health sector.

The threat group is actively seeking initial access brokers (IABs) that can provide access to corporate networks, as well as affiliates to conduct attacks. IABs often sell compromised RDP credentials, VPN login credentials, and web shells, which provide ransomware gangs with the access they need to conduct attacks.

According to HC3, there have been “at least 65 instances of threat actors selling network access to healthcare entities on hacking forums in the past year.” An analysis of 1,000 forum posts selling network access in the past 12 months found the United States was the worst affected country, and 4% of breached entities were in the healthcare industry.

BlackMatter is used in attacks on Windows and Linux systems, encrypts files using Salsa20 and 1024-bit RSA, and attempts to mount and encrypt unmounted partitions. The ransomware encrypts files stored locally, on removable media, and on network shares, and deletes shadow copies to prevent recovery without paying the ransom. Files are also exfiltrated prior to encryption and stolen data have been published on the gang’s leak site to encourage payment of the ransom.

Even if free decryptors are provided, the cost of remediating attack is likely to be significant. It is therefore important for the health and public health sector to take steps to improve defenses to make BlackMatter and other ransomware attacks more difficult.

In the threat brief, HC3 provides cybersecurity best practices that should be adopted to mitigate the BlackMatter threat, which include maintaining offline encrypted backups, regularly testing backups to ensure file recovery is possible, creating, maintaining, and exercising a basic cyber incident response plan and communications plan.

The sector has also been advised to mitigate Internet-facing vulnerabilities and misconfigurations, patch promptly, and conduct regular security awareness training for the workforce and to implement defenses such as spam filters to combat email phishing and social engineering attacks.

The post Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attack appeared first on HIPAA Journal.