New research from Black Kite has shed light on the changing ransomware ecosystem. Over the past year, there has been a marked shift from large ransomware syndicates conducting the bulk of attacks to an increasingly fragmented ransomware ecosystem with a growing number of smaller groups and lone actors.

The report is based on data collected by the Black Kite Research & Intelligence Team (BRITE) between April 2024 and March 2025, including victim analysis, dark web intelligence gathering, and continuous monitoring of ransomware operations. Out of the 150 ransomware groups tracked by BRITE, 96 were considered active, having conducted at least one attack in the past 12 months, a sizeable increase from the 61 active ransomware groups in April 2023. Out of the 96 active ransomware groups, 52 are entirely new groups that emerged in the past 12 months. Over that period, there was a 24% year-over-year increase in the number of publicly disclosed ransomware victims (6,046), which follows an 81% increase over the preceding year, amounting to a 123% increase in disclosed ransomware victims in the past two years.

When the ransomware ecosystem was dominated by large ransomware syndicates such as LockBit and ALPHV/BlackCat, there was a degree of predictability to the attacks, but the power vacuum left by the law enforcement operations against LockBit and the shutdown of ALPHV has led to the creation of many smaller groups, with some of the more experienced actors branching out on their own. With so many new groups, the ransomware ecosystem has become more chaotic, with less sophisticated attacks being conducted in greater volume. BRITE reports that these smaller groups tend to lack the infrastructure, discipline, and credibility of their predecessors, and this shift has resulted in an increase in attack volume, a fall in coordination, and growing unpredictability in how, where, and why attacks unfold.

One trend that has emerged is a shift from attacks on larger companies with deeper pockets to attacks on small to medium-sized businesses (SMBs), which tend to have poorer defenses, smaller cybersecurity teams, and carry a lower risk of retaliation from law enforcement. The potential rewards from conducting the attacks are lower, with BRITE reporting a 35% reduction in ransom payment values in the past 12 months; however, the overall impact of ransomware attacks has widened. In 2024, the average ransom demand was $4,24 million, the median ransom payment was $2 million, and the average ransom payment was $553,959. SMBs with between $4 and $8 million appear to be the sweet spot in terms of ease of conducting attacks and ransom payment value.

In terms of targets, ransomware groups tend to conduct strategic attacks with the top three targets unchanged year-over-year. Manufacturing was the most targeted sector with 1,315 victims over the past 12 months. Attacks on the sector tend to result in massive disruption to business operations, with the costs of downtime increasing the probability of ransoms being paid. Professional and technical services were the second-most targeted sector with 1,040 attacks, followed by healthcare and social assistance with 434 known attacks.

In terms of the growth of attacks on different sectors, excluding the mass exploitation of vulnerabilities by the Clop group as an outlier, wholesale trade saw the biggest growth with a 2.27% increase in attacks, with healthcare and social assistance in second with 1.44% growth. Physicians and health practitioners overtook hospitals in terms of victim count, as they tend to have far weaker security, lack dedicated security teams, and handle reasonable volumes of sensitive patient data, making them low-hanging fruit with significant extortion potential.  These smaller healthcare providers accounted for 38% of attacks, with hospitals in second spot (20%), social assistance in third (11%), and nursing and residential facilities in fourth (9%).

BRITE also reports deeper entanglement in supply chains, with ransomware groups increasingly targeting third-party vendors, as an attack on a vendor can easily allow the ransomware actor to attack and attempt extortion on dozens of downstream organizations. BRITE reports that ransomware was behind 67% of all known third-party breaches. “Incidents involving Change Healthcare, Blue Yonder, and CDK Global made clear that ransomware’s impact is no longer contained within the four walls of the initially affected organization,” explained Black Kite in the report. “When threat actors compromise a widely used vendor, the effects ripple outward, paralyzing downstream businesses in multiple sectors. In this way, ransomware is increasingly a supply chain problem, not just a cybersecurity one.”

Black Kite predicts a deepening fragmentation of the ransomware ecosystem over the coming year, an increase in double targeting of victims with different ransomware variants deployed in a short space of time, speedier attacks with reduced dwell time between initial access and ransomware deployment, and increased automation and AI-assisted reconnaissance.

The post Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024 appeared first on The HIPAA Journal.

A critical vulnerability affecting multiple Oracle products is being exploited in the wild. The vulnerability was dubbed The Miracle Exploit by the security researchers who discovered it, due to its severity and the number of products they affected – all products based on Oracle Fusion Middleware and Oracle online systems. The vulnerability is one of a pair of related vulnerabilities that were discovered two years apart. The vulnerabilities can be chained, and both can lead to remote code execution.

The Oracle Fusion Middleware products are used to build web interfaces for Java EE applications and any website developed by ADF Faces framework is affected. The vulnerabilities also affect Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The vulnerabilities are tracked as CVE-2022-21445 (CVSS 9.8) and CVE-2022-21497 (CVSS 8.1) and can be exploited easily by an unauthenticated attacker with network access via HTTP for an application takeover. Successful exploitation can lead to a full system compromise and lateral movement within a network. The vulnerabilities could be exploited to steal sensitive data and could be leveraged by ransomware groups in the future.

CVE-2022-21445 is a deserialization of untrusted data vulnerability and CVE-2022-21497 is a server-side request vulnerability. The first vulnerability allows remote code execution, and the second one could be exploited for lateral movement to other Oracle systems and can also lead to remote code execution. Oracle released patches to fix the vulnerabilities in April 2022, 6 months after the CVE-2022-21445 vulnerability was discovered. In September, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-21445 Miracle Exploit vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. No information was released about the extent to which the vulnerability has been exploited, and there have been no public reports of exploitation, although CISA does receive some reports privately.

Due to the severity of the vulnerabilities and their impact, the Health Sector Cybersecurity Coordination Center has recently released an analyst note warning the healthcare and public health sector about the risk of exploitation. Healthcare organizations could be vulnerable if they use Oracle Fusion products that rely on the ADF Faces framework. HC3 warns that if the vulnerable Oracle middleware components are integrated into their software for managing electronic medical records or other critical systems, exploitation of the vulnerabilities could result in data breaches, operational disruptions, and potentially regulatory penalties.

HC3 recommends applying the latest patch for Oracle JDeveloper, segmenting networks and ensuring environments that use JDeveloper are isolated from production systems, and limiting access to JDeveloper environments to trusted users only and enforcing strong authentication mechanisms.

The post HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems appeared first on The HIPAA Journal.

A warning has been issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) about a financially motivated group known as Scattered Spider. Many cybercriminal groups are Russian-speaking and are based in Russia or the Commonwealth of Independent States; however, Scattered Spider is a native English-speaking group and its members are believed to be mostly located in the United States and the United Kingdom. There have been four arrests in those countries but the group remains active. Intelligence gathered on the group suggests the members are mostly in the 19-22 age group.

Rather than develop their own malware payloads and attack tools, Scattered Spider uses publicly available tools and malware developed by other threat actors. Legitimate tools known to have been leveraged by the group include remote monitoring and management solutions such as AnyDesk, Connectwise Control, ASG Remote Desktop, Screenconnect, and Splashtop; Mimikatz and LaZagne for credential theft; and Ngrok to create secure tunnels to remote web servers.

The group has previously used multiple malware variants in its operations including Atomic, Racoon Stealer, VIDAR Stealer, and Meduza Stealer, as well as phishing kits such as EIGHTBAIT and Oktapus, and the BlackCat and Ransomhub ransomware variants. The group has also collaborated with the Qilin threat group.

Information stealers are commonly used to obtain credentials for initial access, and then living-off-the-land techniques are used to evade security solutions while the group moves laterally within networks, disabling security solutions and stealing sensitive data. Attacks often end with the deployment of ransomware.

Scattered Spider uses advanced social engineering tactics, with its members well-versed in spear phishing, smishing, and voice phishing. One campaign attributed to Scattered Spider involves spear phishing voice techniques, where members of the IT Help Desk are targeted over the phone with the group posing as employees, sometimes aided by artificial intelligence to impersonate voices.

The aim is to trick the IT Help Desk into performing password resets and registering their own devices to receive multifactor authentication codes. The Help Desk is provided with personal information about the person they are impersonating and usernames and employee IDs obtained in previous stages of its attacks. HC3 has previously issued a warning about this campaign as healthcare organizations were among the group’s victims.

Scattered Spider has been active since at least 2022 and was initially focused on customer relationship management (CRM), business process outsourcing (BPO), telecommunications, and technology companies; however, the group has since expanded its targeting and has been attacking a broader range of sectors. While the healthcare industry has not been extensively targeted by the group, healthcare organizations have been attacked. The Scattered Spider threat actor profile shares indicators of compromise and recommended mitigations to improve defenses.

The post HC3 Issues Warning About Scattered Spider Threat Actor appeared first on The HIPAA Journal.

The majority of healthcare data breaches reported in the past few years are due to hacking incidents but many of these security incidents do not involve the exploitation of vulnerabilities in software and operating systems for initial access. Far more common is the exploitation of human vulnerabilities, where healthcare workers are tricked into providing cyber actors with access to internal systems and sensitive data. According to the Verizon 2024 Data Breach Investigations Report, more than two-thirds of breaches involve the human element rather than the exploitation of weaknesses and vulnerabilities in technology.

One of the most common methods used is phishing, where a cyber actor makes contact with a healthcare employee and convinces them to visit a malicious website where they are asked to enter their credentials or are convinced to download a malicious file, both of which give the cyber actor the access they need. With phishing, the initial contact is often via email, although an increasing number of phishing attacks are now occurring via SMS (smishing), instant messaging platforms, social media networks, and over the telephone (vishing).

Phishing usually involves deception and impersonation. A trusted individual, company, or institution is impersonated, and the targeted individual is provided with a seemingly legitimate reason for taking the requested action. This could be a request for collaboration on a report, a notification about a failed delivery, a missed payment of an invoice, or a security warning. There is often a threat of negative consequences if no action is taken, commonly a pressing matter such as impending loss of service, a significant charge that will soon be applied to an account, or unauthorized account access that warrants immediate steps to secure the account.

The techniques used in phishing are known as social engineering – manipulation, influencing, or deceiving someone into taking a certain action, which in cybersecurity terms involves gaining unauthorized access to computer systems, financial accounts, or sensitive data. While phishing is one of the best-known attack methods that uses social engineering techniques, cyber actors use social engineering in other types of attacks to achieve similar goals. There is baiting, where social engineering is used to trick someone into taking an action to obtain something of value, such as to be entered into a free prize draw or get an amazingly low purchase price on goods and services. In order to get what is promised, sensitive information must be disclosed such as credentials, a credit/debit card number, or personal information.

Advances in artificial intelligence (AI) technology have provided cyber actors with a new way of manipulating individuals – deepfakes. Deepfakes take impersonation and deception to a new level, where trusted individuals are impersonated via audio or video. Deepfakes of authority figures can be created that are incredibly realistic, using synthesized facial images and speech or manipulated videos, photos, and audio recordings to trick people into taking any number of actions. Deepfakes can even be created in real-time, such as impersonating a CEO in a call to a help desk to request credentials be reset or to add an attacker-owned device to receive multifactor authentication codes, or in Zoom meetings where the meeting participants are convinced they are conversing with the genuine person.

Social engineering is the subject of the October 2024 cybersecurity newsletter from the HHS’ Office for Civil Rights. In the newsletter, OCR explains how social engineering is used in attacks on healthcare organizations and how to identify and avoid social engineering attacks. The newsletter also explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities improve their defenses against social engineering and mitigate threats.

“Attackers have learned how to convincingly imitate our loved ones and our business partners, meaning that nothing can be assumed or taken at face value. Attackers continue to refine their manipulation through social engineering tradecraft. All of these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used,” explained OCR in the newsletter. “Educating workforce members on these attacks is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. Such knowledge is powerful not only to protect individuals in their personal online activities, but also by extension an individual’s employer. This is especially important in the current environment where work is taken home on laptops, smartphones, and through remote work.”

The post OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks appeared first on The HIPAA Journal.

Ransomware groups target the healthcare sector because a successful attack gives them access to large amounts of sensitive data that can be easily monetized and used as leverage to get a ransom paid. Healthcare organizations are also heavily reliant on access to data to operate, therefore there is a higher probability that a ransom will be paid to regain access to encrypted data. Attacks on the sector are also increasing. According to Recorded Future, there were 358 ransomware attacks on healthcare organizations in 2023, a year-on-year increase of 46%.

A recent study by the cybersecurity firm Rubrik assessed the impact of ransomware attacks and found that attacks on healthcare providers impact more data than other industry sectors. Researchers at Rubrik Zero Labs determined that 20% of a healthcare organization’s sensitive data holdings are affected by a ransomware encryption event, compared to 6% in other industry sectors. That means 20% of healthcare data is encrypted, deleted, or stolen in an attack.

Healthcare organizations generally hold more sensitive data than other industry sectors. According to Rubrik’s analysis, healthcare organizations typically need to secure 50% more data than the global average, with healthcare organizations holding an average of 42 million sensitive data records compared to the global average of 28 million sensitive records.  The amount of data stored grows at a faster rate than other industries. In 2023, a typical healthcare organization saw its data estate grow by 27% compared to 23% for a typical global organization, and the number of sensitive data records in healthcare grew by 63% in the past year compared to the global average of 13%.

The data for Rubrik’s report – The State of Data Security: Measuring Your Data’s Risk – came from telemetry across the company’s customer base of 6,100 organizations and a study conducted by the Wakefield Research of more than 1,600 IT and security leaders. Across all industry sectors, 94% of IT security leaders said they had experienced a significant cyberattack in 2023, and an average of 30 attacks in the past year. One-third of IT security leaders said they had been affected by at least one ransomware attack, and 93% of organizations paid a ransom, with 58% of those paying to prevent the leaking of stolen data.

Dependence on the cloud is growing, with cloud architecture used to store 13 % of an organization’s data on average, compared to 9% the previous year. According to Rubrik’s telemetry, cloud storage has inherent risks as there are security blind spots. Rubrik reports that 70% of all cloud-stored data is in object storage, which typically has much lower security coverage than other areas. 88% of all data stored in object storage is not confirmed as machine-readable or is not covered by prominent security technologies and services, and more than 25% of object storage data is subject to regulatory or legal requirements, such as HIPAA.

“Despite the fallout of cyberattacks dominating headlines, data risk is an issue that continues to be murky — especially in terms of what security teams can actually change and what they cannot,” said Steven Stone, Head of Rubrik Zero Labs. “With this report, we aim to provide quantifiable insights that IT and security leaders can bring back to their organization to drive greater cyber resilience-in particular with their partners in the business and governance teams.”

The post Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data appeared first on HIPAA Journal.

The exploitation of vulnerabilities in software and operating systems is becoming far more common for initial access to networks, with phishing declining in prevalence, according to Mandiant’s M-Trends 2024 Report. Manidant, part of Google Cloud, is a leading provider of dynamic cyber defense, threat intelligence, and incident response services. The latest report is based on data from Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023, and December 31, 2023.

Exploited software vulnerabilities were the initial access method in 38% of intrusions investigated by Manidant, up 6% from 2022, with phishing used for initial access in 17% of incidents, down from 22% in 2022. Attackers are increasingly targeting edge devices and are exploiting a wide variety of vulnerabilities. In 2023, Mandiant identified 97 unique zero-day vulnerabilities being exploited in the wild, up 56% from 2022. The exploitation of zero day vulnerabilities used to be limited to a small number of threat actors, typically nation-state cyberespionage groups. While state-sponsored threat actors continue to target zero-day flaws, especially China-nexus threat actors, ransomware and data extortion groups are increasingly acquiring and utilizing 0days, helped by the rise of commercially available turnkey exploit kits.

Threat actors are combining exploits of zero-day flaws with living-off-the-land techniques, which involve native, legitimate tools within a system to allow them to maintain persistence for longer and avoid detection. One of the reasons for the decline in phishing as an initial attack vector is the widespread adoption of multifactor authentication (MFA). While MFA is effective at preventing phishing attacks, Mandiant has identified an increase in the use of web proxies and adversary-in-the-middle phishing pages that can steal credentials and login session tokens to bypass MFA. Defenses can be improved against these attacks by adopting phishing-resistant MFA.

Mandiant has also observed an increase in malware, with 626 new malware families identified in 2023, more than any other year to date. The most common malware families were backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%) and ransomware (5%). The industries most commonly targeted by threat actors were financial services (17%), business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%), with attacks increasingly targeting cloud environments, as more organizations transition to the cloud. The most likely reason for targeting these sectors is they store a wealth of sensitive information, including proprietary business data, personally identifiable information, protected health information, and financial records.

Mandiant’s data show that organizations are getting better at identifying intrusions. Last year, attackers were present in networks for a median of 10 days before the intrusions were detected, down from a median of 16 days in 2022. “Defenders should be proud, but organizations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities,” Jurgen Kutscher, Vice President, Mandiant Consulting at Google Cloud, told The HIPAA Journal. “This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”

The post Threat Actors Increasingly Targeting Vulnerabilities for Initial Access appeared first on HIPAA Journal.

According to the Q1, 2024 ransomware report from the ransomware remediation firm Coveware, ransom payments have fallen to a record low with only 28% of victims opting to pay the ransom to recover files and/or prevent the exposure of stolen data. In Q1, 2019, more than 80% of victims of ransomware attacks paid the ransom, but the percentage has been steadily falling, with only 29% of victims paying up in Q4, 2023, and just 28% in Q1, 2024.

Coveware suggests several reasons for the decline in payments, including better preparation and more advanced protective measures that allow victims to recover files without having to pay the ransom, legal pressure on victims not to give in to demands, and growing distrust of ransom groups. There have been an increasing number of attacks where payment has been made only for the attackers to continue to leak data or trade stolen data with other groups. For instance, the recent Blackcat ransomware attack on Change Healthcare saw the operators pocket the $22 million ransom payment and not pay the affiliate, who switched to the RansomHub group, which started leaking the data to pressure Change Healthcare into paying another ransom payment.

Coveware also reports that the confidence of ransomware affiliates has been shaken by recent law enforcement operations against LockBit and BlackCat. While groups were able to recover from the takedowns, the operations demonstrated that ransomware groups are not beyond the reach of Western law enforcement agencies. Further, the actions of the groups following the attacks have not helped to restore affiliates’ confidence. Both groups have had public disputes with affiliates and refused to pay them their cut of the ransoms, and coupled with the risk of having their identities discovered by law enforcement, many have chosen to quit conducting attacks for those groups and potentially quit ransomware altogether.

Based on the attacks where Coveware has been engaged to assist with recovery, Akira is now the dominant group with a market share of 21%, followed by Blackbasta and Lockbit which each have a 9% share, medusa, Phobos, and BlackCat with 6%, and Rhysida, BlackSuit and Inc Ransom with a 4% market share. BlackBasta has returned to the list of top ransomware groups, which suggests that affiliates have been leaving BlackCat and Lockbit, while the increase in Phobos attacks suggests that some affiliates are choosing to set up their own operations.

There has been a trend for increasing ransom payments since 2019 and a sharp increase in payments in Q1, 2023; however, by Q3, 2024, ransom payments started to fall. That fall has continued, with Q1, 2024 seeing an average payment of $381,980, down 32% from the previous quarter. Median payments have been increasing slowly and jumped by 25% to $250,000 in Q1, 2024. This is due to ransomware groups demanding more reasonable payments to increase the likelihood of being paid.

The threat of publication of stolen data is often enough to get victims to pay up. 23% of victims who were only faced with the threat of publication of their data chose to pay the ransom in Q1; however, there is no guarantee that the stolen data will be deleted. The law enforcement disruption of LockBit confirmed that the group still held a lot of data from attacks where the victims had paid to have their data deleted. There have been several cases where payment has been made to one group, only for the data to be provided to another ransomware group for re-extortion.

Coveware tracks the ransomware vectors used to gain initial access to networks; although that is becoming increasingly difficult, with the initial access vector unclear in more than 40% of Q1, 2024 attacks. Remote access compromise is the most common of the confirmed attack vectors, with software vulnerabilities and phishing both in decline. It is also common for multiple attack vectors to be used to achieve an extortion-level impact. While few sectors have escaped ransomware attacks, in Q1, 2024, healthcare was the worst affected industry, accounting for 18.7% of attacks, followed by professional services (17.8%), the public sector (11.2%), and consumer services (10.3%).

The post Only 28% of Ransomware Victims Choose to Pay Ransom appeared first on HIPAA Journal.