Feb 28, 2024NewsroomRansomware / Healthcare

The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the government said in an updated advisory.

“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The advisory comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of its dark leak sites. But the takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data leak portal that continues to remain active to date.

It has also ramped up against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum.

The development has prompted the U.S. government to announce financial rewards of up to $15 million for information leading to the identification of key members as well as affiliates of the e-crime group.

BlackCat’s ransomware spree coincides with the return of LockBit after similar disruption efforts led by the U.K. National Crime Agency (NCA) last week.

According to a report from SC Magazine, threat actors breached Optum’s network by leveraging the recently disclosed critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software.

The flaws, which allow for remote code execution on susceptible systems, have also been weaponized by the Black Basta and Bl00dy ransomware gangs as well as by other threat actors to deliver Cobalt Strike Beacons, XWorm, and even other remote management tools like Atera, Syncro, and another ScreenConnect client.

Attack surface management firm Censys said it observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with most of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.

“It’s clear that remote access software like ScreenConnect continues to be a prime target for threat actors,” Censys security researcher Himaja Motheram said.

The findings come as ransomware groups like RansomHouse, Rhysida, and a Phobos variant called Backmydata have continued to compromise various organizations in the U.S., U.K., Europe, and the Middle East.

In a sign that these cybercrime groups are shifting to more nuanced and sophisticated tactics, RansomHouse has developed a custom tool dubbed MrAgent to deploy the file-encrypting malware at scale.

“MrAgent is a binary designed to run on [VMware ESXi] hypervisors, with the sole purpose of automating and tracking the deployment of ransomware across large environments with a high number of hypervisor systems,” Trellix said. Details of MrAgent first came to light in September 2023.

Another significant tactic adopted by some ransomware groups is the sale of direct network access as a new monetization method via their own blogs, on Telegram channels, or data leak websites, KELA said.

It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.

“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems,” SentinelOne researcher Jim Walter said.

“It is likely to increase the ransomware builder’s attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks.”

The threat actors behind the KV-botnet made “behavioral changes” to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.

Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.

“In mid-December 2023, we observed this activity cluster hovering around 1500 active bots,” security researcher Ryan English said. “When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots.”

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it’s fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.

“We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023,” Lumen said in a technical report shared with The Hacker News.

During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV 320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary’s likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.

It’s worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to China working hours.

“Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with China Telecom,” Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.

What’s more, the statement from the U.S. Justice Department described the botnet as controlled by “People’s Republic of China (PRC) state-sponsored hackers.”

This raises the possibility that the botnet “was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said ‘nation-state’ actors,” Adamitis added.

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that’s composed of infected Cisco routers by deploying a web shell named “fys.sh,” as highlighted by SecurityScorecard last month.

But with KV-botnet being just “one form of infrastructure used by Volt Typhoon to obfuscate their activity,” it’s expected that the recent wave of actions will prompt the state-sponsored actors to presumably transition to another covert network in order to meet their strategic goals.

“A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported,” English said. “End users have a difficult financial choice when a device reaches that point, and many aren’t even aware that a router or firewall is at the end of its supported life.

“Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible.”

“Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point.”

The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat group and gain access to a web panel used for managing the gang’s victims, in what’s a case of hacking the hackers.

The confiscation effort involved collaboration and assistance from multiple law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria.

BlackCat, also called ALPHV, GOLD BLAZER, and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It’s also the first Rust-language-based ransomware strain spotted in the wild.

The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim.

The FBI said it worked with dozens of victims in the U.S. to implement the decryptor, saving them from ransom demands totaling about $68 million, and that it also gained insight into the ransomware’s computer network, allowing it to collect 946 public/private key pairs used to host the TOR sites operated by the group and dismantle them.

One important thing to note here is that creating a hidden service with the .onion URL on the TOR anonymization network generates a unique key pair comprising a private and public key (aka the identifier) that can be used to access and control the URL.

An actor who is in possession of the key pair can, therefore, broadcast a new route redirecting traffic for the .onion site to a different server under their control.

BlackCat, like several other ransomware gangs, uses a ransomware-as-a-service model involving a mix of core developers and affiliates, who rent out the payload and are responsible for identifying and attacking high-value victim institutions.

It also employs the double extortion scheme to put pressure on victims to pay up by exfiltrating sensitive data prior to encryption.

“BlackCat affiliates have gained initial access to victim networks through a number of methods, including leveraging compromised user credentials to gain initial access to the victim system,” the DoJ said.

In all, the financially motivated actor is estimated to have compromised the networks of more than 1,000 victims across the world to earn nearly $300 million in illegal revenues as of September 2023.

Image Source: Resecurity

If anything, the takedown has proven to be a blessing in disguise for rival groups like LockBit, which is already capitalizing on the situation by actively recruiting displaced affiliates, offering its data leak site to resume victim negotiations.

Speaking to malware research group vx-underground, a BlackCat spokesperson said “they have moved their servers and blogs,” claiming that the law enforcement agencies only had access to a “stupid old key” for the old blog site which was deleted by the group a long time ago and has since not been used.

The threat actor’s newest leak website remains operational as of writing. “On December 13, the group published the first victim to its new leak site,” Secureworks said. “As of December 19, five victims were posted to the new site, demonstrating the group retained some operational capacity.”

However, hours after the takedown, the BlackCat group took steps to “unseize” the main leak site using the same set of cryptographic keys necessary to host the hidden service on the TOR network and post its own seizure notice.

It has also given affiliates the green light to infiltrate critical infrastructure entities such as hospitals and nuclear power plants as well as other targets with the exception of those inside the Commonwealth of Independent States (CIS) as a retaliatory measure. The FBI has since re-seized the website.

“The threats seem like ‘now you’ve done it’ posturing but, this group has a documented history of attacking healthcare and energy infrastructure targets already, so it feels like bluster,” Secureworks Counter Threat Unit (CTU) told The Hacker News.

“Given that such activity appears more likely to bring law enforcement attention – which is why many groups explicitly avoid it – it seems unlikely that affiliates will choose to specifically target such organizations, especially as ransomware is a crime of opportunity for the most part and based on available access to victim networks.”

“That said, some less risk averse affiliates may be more willing to target energy and healthcare organizations. The flip side is that it is just as likely that the uncertainty caused by the law enforcement disruption will drive affiliates away from BlackCat into the arms of other ransomware operators, such as LockBit. Such interventions breed distrust and paranoia among ransomware group members and affiliates.”

In a conversation with vx-underground, a LockBit administrator described the situation as “unfortunate” and that security loopholes in their infrastructure are a primary threat to “my business.”

(The story was updated after publication to include additional information about the infrastructure seizure.)