Search This Blog

Showing posts with label BlackCat. Show all posts

How Much Will Each Stolen Client SSN Cost You Now That You Have Been Pwned?

Following the theft from its systems of more than 447,000 patient names, Social Security numbers, and private medical information, a Florida healthcare organization has resolved a class-action lawsuit. 

Orlando Family physicians, which has 10 clinics in central Florida, has agreed to pay affected patients who submit a claim by July 1 a reimbursement and provide them two years of free credit monitoring. Patients may earn up to $225 or, for those whose SSNs were stolen, up to $7,500 depending on what kind of private information the thieves obtained. 

However, as part of the compensation, the physician organization denies any responsibility for the data heist. 

Court records reveal that the crime took place in April 2021 after thieves used a phishing scam to access the email accounts of four employees. As per Orlando Family Physicians, it “immediately” took the necessary steps, containing the intrusion and hires a “leading” security shop to determine the scope of intrusion. 

The health group, a few months later, published a notice on its website and sent letter to victims whose private information was compromised. The data apparently includes names, demographic information, health information, including diagnosis, medical record numbers, patient account numbers, passport numbers, providers and prescriptions; health insurance details, including legacy Medicare beneficiary numbers generated from the person's Social Security number or other subscriber identification number. 

However, according to the physician group “, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals.” 

Moreover, OFP reported to the US Department of Health and Human Services, saying it potentially affected 447,426 individuals. 

Is Your PII Worth $250, or $75k? 

After the attorneys take their cut, of course, those hundreds of thousands of people whose personal information most certainly ended up for sale on a hacking forum are now eligible for a compensation. The settlement's overall sum is still undisclosed. 

There are two groups within the class that stand to gain monetarily. The first group, individuals who incurred out-of-pocket costs as a result of the theft, may file a claim for up to $225 in duly substantiated costs. This covers any expenses incurred while freezing or unfreezing credit reports, paying for credit monitoring services, or contacting banks about the occurrence, including notary, fax, mailing, copying, mileage, and long-distance phone costs. 

The victims can also file a claim for a time limit of up to three hours, compromised due to the security breach at the rate of $25 per hour. 

The second category consists of victims whose Social Security numbers were taken. These people are eligible to file claims for up to $7,500 for confirmed instances of identity theft, fabricated tax returns, or other forms of fraud that can be linked back to the initial hack. They as well can claim up to eight hours of lost time at $25 per hour. 

The settlement comes as ransomware gangs and other cybercriminals intensify their attacks on hospitals and other healthcare organizations, and the lawyers have responded by bringing numerous class-action cases. 

The aforementioned class-action lawsuit is proposed following an intrusion in February, wherein the BlackCat malware infiltrated one of the Lehigh Valley Health Network physician’s networks, stole sensitive health records belonging to more than 75,000 people, including pictures of patients receiving radiation oncology treatment, and then demanded a ransom to decrypt the files and stop it from posting the records online.  

LockBit Latest Variant LockBit 3.0, With BlackMatter Capabilities


Healthcare sectors' cybersecurity intelligence has been requested to review the IOCs and has also been recommended to take proactive steps to fight against BlackCat and LockBit 3.0 ransomware variants which are rampantly targeting healthcare sectors. 

On 2nd December the Department of Health and Human Services Cybersecurity Coordination Center published two new research analyst notes in which it explained and issued alerts against four ransomware   namely Venus, Hive, Lorenz, and Royal.

Dat from the past attacks suggest that well-practiced, properly prepared plans and a clear understanding of the attack are crucial to setting up a successful ransomware response. For the BlackCat and LockBit 3.0 threats in particular; it is highly recommended that the healthcare sector's response against such attacks should be planned and proactive. 

“BlackCat can also clear the Recycle Bit, connect to a Microsoft cluster and scan for network devices. It also uses the Windows Restart,” according to the issued alert. 

As per the data, healthcare is among one of the  most targeted industries, for example, the pharmaceutical sector, which is constantly targeted by hackers. HC3 believes BlackCat will continue to exploit healthcare department in the foreseeable future. 

The sector is urged to take the “threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.” 

Historically, LockBit targeted the RaaS model and entities for higher ransoms and leveraged double extortion tactics. The most recent version of LockBit 3.0 comes with advanced extortion tactics and utilised a triple extortion model which asks the victim to pay for their sensitive information. 

“Once on the network, the ransomware attempts to download command and control (C2) tools such as Cobalt Strike, Metasploit, and Mimikatz, encrypted files can only be unlocked with LockBit’s decryption tool,” according to the alert. 

While the group has been targeting health sectors worldwide, the U.S. and its healthcare sectors have been victimized deliberately by the group. HC3 asked the organizations to review the provided IOCs and recommended security measures to prevent further attacks.

Noberus Ransomware Has Updated Its Methods

Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.

Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.

About  Coreid 

Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings. 

Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.

The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.

Noberus is a destructive ransomware

Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.

Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.

Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.

A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.

Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.

According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.

Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat


BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.

BlackCat Ransomware Group Demands $5Million to Unlock Austrian State


The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.