Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.

Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle alleged violations of the HIPAA Privacy Rule with Optum Medical Care of New Jersey for $160,000.

Optum Medical Care of New Jersey, formerly known as Riverside Medical Group and Riverside Pediatric Group, is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received six complaints from individuals who had not been provided with their records after sending a request to Optum Medical Care. The requests were to obtain a copy of an individual’s own records or requests from parents for copies of their minor children’s records.

The HIPAA Privacy Rule gives individuals the right to obtain a copy of their medical records and those of their minor children. When a request is received by a HIPAA covered entity, the records must be provided within 30 calendar days, although under certain limited circumstances, a 30-day extension is possible.

OCR launched an investigation in February 2022 in response to the complaints and determined that Optum Medical Care had exceeded the allowed timeframe for providing those records. The complainants had to wait between 84 days and 231 days to receive their requested records.

Optum Medical Care chose to settle the alleged violations and agreed to pay a $160,000 financial penalty and adopt a corrective action plan (CAP) that includes reviewing and revising its policies and procedures for individual access to PHI, providing training to the workforce on those new procedures, and ensuring that all patients are provided with their requested records within 30 days. In the event of a right of access request being denied, OCR must be informed and provided with documentation to support that denial. OCR will monitor Optum Medical Care for compliance with the CAP for a period of one year.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, and this is the 46th investigation to result in a financial penalty. “Healthcare providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year.  This is the law—providers must proactively respond to record requests and ensure timely access.  Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”

This is the 13th HIPAA enforcement action of 2023 to result in a financial penalty. In 2023, OCR has imposed $4,176,500 in financial penalties. The average penalty was $321,269 and the median penalty was $100,000.

OCR has also stated in its Healthcare Sector Cybersecurity Strategy that it is working with Congress to increase the penalties for HIPAA violations.

The post Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation appeared first on HIPAA Journal.