The United States government has issued a warning regarding the resurgence of BlackCat ransomware attacks, also known as ALPHV, targeting the healthcare sector as recently as this month. According to an updated advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), the healthcare sector has been the primary target since mid-December 2023, with nearly 70 leaked victims identified.
The resurgence of attacks is believed to be in response to a call from the ALPHV/BlackCat administrator urging affiliates to target hospitals following operational disruptions against the group and its infrastructure in early December 2023. Despite a previous law enforcement operation resulting in the seizure of its dark leak sites, BlackCat ransomware remains active, utilizing a new TOR data leak portal.
Recent targets of BlackCat ransomware attacks include critical infrastructure organizations such as Prudential Financial, LoanDepot, Trans-Northern Pipelines, and Optum, a subsidiary of UnitedHealth Group. In response to the escalating threat, the U.S. government has announced financial rewards of up to $15 million for information leading to the identification of key members and affiliates of the e-crime group.
The resurgence of BlackCat ransomware coincides with the return of LockBit following similar disruption efforts by the U.K. National Crime Agency (NCA). Threat actors have exploited critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software to breach networks, with over 3,400 potentially vulnerable hosts observed online by cybersecurity firm Censys.
In a concerning trend, ransomware groups like RansomHouse, Rhysida, and a variant of Phobos named Backmydata continue to target organizations globally, utilizing sophisticated tactics. RansomHouse has developed a custom tool called MrAgent to automate the deployment of ransomware across large environments, while some groups are selling direct network access as a new monetization method.
Furthermore, the release of a Linux-specific ransomware threat known as Kryptina on underground forums poses a significant risk, potentially leading to an increase in attacks against Linux systems. According to SentinelOne researcher Jim Walter, the availability of the Ransomware-as-a-Service (RaaS) source code could attract more low-skilled participants to the cybercrime ecosystem, resulting in the proliferation of attacks.
