FBI, CISA warns Of ALPHV Blackcat Ransomware Attacking Hospitals

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint advisory warning about the ALPHV Blackcat ransomware.

This ransomware-as-a-service (RaaS) has been identified through FBI investigations as targeting the healthcare sector with increased frequency since mid-December 2023.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Sophisticated Attack Techniques

ALPHV Blackcat actors have adapted their communication methods, creating victim-specific emails to notify them of the initial compromise.

The ransomware group has been linked to over 60 breaches in its first four months of activity, with many victims being healthcare organizations. 

The advisory updates previous alerts from April 2022 and December 2023, noting the ransomware’s evolution and the introduction of the ALPHV Blackcat Ransomware 2.0 Sphynx update in February 2023.

This update has enabled the ransomware to encrypt Windows and Linux devices and VMWare instances and has provided affiliates with better defense evasion and additional tooling.

Technical Details and Mitigation Strategies

The ransomware affiliates use advanced social engineering, posing as IT or helpdesk staff to gain network access.

Ransom Note Instruction
Ransom Note Instruction

They deploy remote access software and use various techniques for domain access, data exfiltration, and lateral movement within the network. After installing the ransomware, they allow listed applications and clear logs to evade detection.

The FBI, CISA, and HHS have recommended a series of mitigations to improve cybersecurity posture and reduce the risk of compromise by ALPHV Blackcat threat actors.

These include securing remote access tools, implementing phishing-resistant multifactor authentication (MFA), and user training on social engineering and phishing attacks.

In the event of a compromise, organizations are advised to quarantine affected hosts, reimage compromised systems, provision new account credentials, and report the incident to CISA or the FBI’s Internet Crime Complaint Center (IC3).

The FBI has also developed a decryption tool to assist victims in restoring their systems.

Ongoing Law Enforcement Efforts

The Department of Justice has launched a disruption campaign against the ransomware group, which has targeted over 1,000 victims, including critical U.S. infrastructure.

The FBI has worked with affected victims to implement a decryption tool, saving them from approximately $68 million in ransom demands.

The joint advisory underscores the severe threat of ALPHV Blackcat ransomware, particularly to the healthcare sector.

It is a call to action for organizations to implement recommended cybersecurity measures and to report any incidents to facilitate law enforcement’s efforts to disrupt the activities of this ransomware group.

IOCs

MD5DescriptionFile Name
944153fb9692634d6c70899b83676575ALPHV Windows Encryptor 
efc80697aa58ab03a10d02a8b00ee740c90abb4bbbfe7289de6ab1f374d0bcbeALPHV Linux Encryptor 
341d43d4d5c2e526cadd88ae8da70c1cAnti Virus Tools Killer363.sys
34aac5719824e5f13b80d6fe23cbfa07CobaltStrike BEACONLMtool.exe
eea9ab1f36394769d65909f6ae81834bCobaltStrike BEACONInfo.exe
379bf8c60b091974f856f08475a03b04ALPHV Linux Encryptorhim
ebca4398e949286cb7f7f6c68c28e838SimpleHelp Remote Management toolfirst.exe
c04c386b945ccc04627d1a885b500edfTunneler Toolconhost.exe
824d0e31fd08220a25c06baee1044818Anti Virus Tools KilleribmModule.dll

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.