Sunday, November 24, 2024

Six-months on: Are we still afraid of the Black Cat?


By Dr. Tim Sandle
DIGITAL JOURNAL
Novembr 22, 2024


A member of the Red Hacker Alliance in Dongguan, China in August 2020 monitors cyberattacks around the world. Hacks have increased through the pandemic and the war in Ukraine - Copyright AFP/File Noel Celis

Earlier in 2024 a joint advisory was issued in the U.S. by the joint agencies responsible for security – FBI, CISA, and HHS. This was a warning the healthcare sector of BlackCat ransomware, following the group’s association with the Change Healthcare cyberattack.

BlackCat, also known as ALPHV, is a ransomware code written in Rust. It first appeared in November 2021. The same name is applied to the threat actor who exploit it.

How safe is healthcare now? To review the situation, Digital Journal heard from Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.

To begin with Costis presents a reminder as to the key elements of the U.S. government security statement: “This advisory contains updates to the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackCat from a December advisory and the FBI’s FLASH alert from April 2022.”

As to the actual threat agent, Costis summarises the risk as: “BlackCat, a Rust-based ransomware family first identified in November 2021, operates under a Ransomware-as-a-Service (RaaS) model. The group was disrupted by FBI operations last December. After this takedown, BlackCat administrators urged affiliates to target hospitals and critical infrastructure.”

BlackCat operates on a ransomware as a service (RaaS) model, with developers offering the malware for use by affiliates and taking a percentage of ransom payments.

Threat actors who work with BlackCat seek to gain initial access to IT environments and user accounts. This can be achieved in a variety of ways, such as remote desktop protocols, compromised credentials, and exchange server vulnerabilities.

Of the different risk areas, healthcare is the most vulnerable according to Costis: The healthcare sector has been the most commonly victimized out of the nearly 70 leaked victims. The cyberattack on Change Healthcare, the largest healthcare payment exchange platform, has significantly impacted pharmacies nationwide, prompting the adoption of electronic workarounds”

The best options are for the healthcare sector to prioritize cybersecurity measures. Costis recommends: “The vast amount of sensitive patient data stored within healthcare systems makes these organizations a dangerous target for ransomware groups, with the potential for far-reaching consequences. These attacks can cripple organizational operations and, more importantly, compromise patient health and safety.”

Furthermore, Costis advises: “Healthcare organizations must now prioritize validating their security controls against BlackCat’s TTPs as outlined in the joint advisory leveraging the MITRE ATT&CK framework. By emulating the behaviors exhibited by BlackCat, organizations can assess their security postures and pinpoint any vulnerabilities. This proactive approach is essential to mitigate the risk of future attacks.”



No comments: