ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates

Posted by Steve Alder

In response to the law enforcement operation that resulted in the seizure of its websites, the ALPHV/BlackCat ransomware group has removed virtually all restrictions on affiliates and said discounts and extensions have stopped, and patient data will now be published on its leak site.

The Department of Justice (DoJ) recently announced that the Federal Bureau of Investigation was able to gain access to the infrastructure of the ALPHV/BlackCat ransomware group, which allowed it to seize the websites used for communication, data leaks, and negotiations and obtain the decryption keys to help around 500 victims recover from attacks. The decryption tool developed by the FBI has saved around $68 million in ransom payments, according to the DoJ.

According to the search warrant, the FBI engaged with a confidential human source (CHS) to sign up to become an affiliate of the group. After an interview with the operators, the CHS was provided with credentials to access the backend affiliate portal, thus giving the FBI access to the portal. The FBI was able to obtain 946 public/private key pairs for the group’s Tor sites that were used to host victim communication sites, leak sites, and affiliate panels.

Updated ALPHV/BlackCat Cybersecurity Advisory Published

A joint cybersecurity advisory has been issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) that updates its April 2022 advisory about ALPHV. The latest advisory includes updated information on the tactics, techniques, and procedures (TTPs) associated with the group and Indicators of Compromise (IoCs) from FBI investigations as recently as December 6, 2023. Healthcare organizations are strongly advised to implement the recommended mitigations as while the law enforcement operation was a success and caused disruption, the ALPHV group claims it is still operational. Based on its response, the group has now decided to play hardball.

ALPHV Responds by Removing Restrictions

ALPHV is also able to access its sites and responded with an update of its own, stating on its leak site that the website has been unseized. The group provided its side of the story, claiming that the FBI only gained access to the decryption keys from the previous month and a half – around 400 victims. The group said it has attacked more than 3,000 companies and that as a result of the FBI’s actions, the decryption keys for those will never be released.

In the angry message, the group said it has now removed all but one of the restrictions for affiliates. Affiliates will still not be permitted to conduct any attacks on targets in the Commonwealth of Independent States, but all other restrictions have been removed. “You can now block hospitals, nuclear power plants, anything and anywhere,” wrote the group. In the post, ALPHV said it will no longer offer discounts on ransom demands, will not provide any time extensions, and that if patient data is stolen, it will no longer be removed and will be uploaded to its data leak site. The group also claimed it will always notify the SEC and the HHS in the event of no initial contact.

A rebrand may still be on the cards, but based on the response, the group is still operational and now plans to be even more vindictive. ALPH said if victims do not make contact before they are added to its blog, stolen data will be leaked and the families of executive teams and employees will be harassed – “even your young children are not exempt,” wrote ALPHV.

The post ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates appeared first on HIPAA Journal.

Compliancy Group Best Healthcare Compliance Software According to G2

Posted by Steve Alder

Compliancy Group has been named the best healthcare compliance software provider by G2 in its Winter 2023 Reports. G2, (formerly G2 Crowd) is the world’s largest and most trusted software marketplace. Each year, 80 million people visit the G2 peer-to-peer business software review website to read and write reviews of software and conduct research to inform purchase decisions. Each quarter, G2 releases Grid Reports to help technology buyers visualize the marketplace and identify companies that provide software solutions to meet their needs. The Grid Reports categorize companies as niche providers, contenders, high performers, and leaders based on their market presence and customer satisfaction scores. Leaders are companies that combine a strong market presence with high customer satisfaction scores.

In the Winter 2023 Reports, Compliance Group was named the best software company in the healthcare compliance software category. To qualify for inclusion in the healthcare compliance software category, a company must provide software that allows users to monitor, track, and update any changes to industry and/or governmental regulation and practice; facilitate the designation of compliance officers and committees; develop compliance-specific policies and procedures, including standards of conduct; facilitate open lines of communication; support appropriate and relevant compliance training and education; set up, track, and respond to detected compliance offenses; and support or offer internal monitoring, auditing, and measuring efforts.

98% of users of Compliancy Group’s Healthcare compliance software gave a 4- or 5-star rating and 96% of users believed the company to be heading in the right direction. 96% said that they would be likely to recommend the software. The company was recognized by G2 as being the easiest to do business with, a leader in the Americas, having the highest user adoption rate, and was also named as a momentum leader – a company that combines high satisfaction scores, with a strong digital presence, and strong employee growth.

Compliancy Group was also named a leader in the healthcare risk management category. To be included in the healthcare risk management software category, a company must support the creation and modification of healthcare risk management plans; provide risk surveillance tools; collect patient, provider, and operational data across the hospital; and comply with healthcare regulations such as HIPAA and HITECH. In this category, Compliancy Group achieved an average customer satisfaction score of 4.8 out of 5 and was ranked as the 2nd easiest healthcare risk management software to use.

The post Compliancy Group Best Healthcare Compliance Software According to G2 appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.