FBI, CISA, and HHS warn against ALPHV/BlackCat ransomware targeting US healthcare sector

The advisory comes amidst growing concerns over cyber threats to critical infrastructure, urging organisations to bolster their cybersecurity defences against evolving tactics employed by ransomware operators.

 Animal, Black Cat, Cat, Mammal, Pet

The FBI, CISA, and the Department of Health and Human Services (HHS) have issued a joint advisory to healthcare organisations across the United States warning against targeted ransomware attacks orchestrated by the ALPHV/Blackcat group.

In the notice, the agencies alerted of the escalating threat posed by ALPHV/Blackcat affiliates, particularly targeting the healthcare sector. This warning is the latest in a wave of notifications detailing the emergence of the BlackCat cybercrime gang. Others include an FBI flash alert in April 2022 and an advisory in December 2023.

Since its inception in November 2021, the BlackCat group, suspected to be a rebrand of the DarkSide and BlackMatter ransomware gangs, has been linked to over 60 data breaches and has amassed a staggering $300 million in ransoms from more than 1,000 victims as of December 2023.

Most concerning is the recent surge in ransomware attacks against healthcare organisations, with the ALPHV/Blackcat group targeting hospitals in retaliation to operational disruptions and infrastructure crackdowns by international police forces. The agencies have underscored the urgent need for critical infrastructure organisations to implement robust mitigation measures to against the risk of Blackcat ransomware attacks.

Today’s advisory comes in the wake of a cyberattack on UnitedHealth Group subsidiary Optum, leading to an ongoing outage affecting Change Healthcare, a pivotal payment exchange platform in the US healthcare system. Although UnitedHealth Group has refrained from confirming the BlackCat link, forensic experts investigating the incident have identified the group’s involvement.

The attack, exploiting the critical ScreenConnect authentication bypass vulnerability (CVE-2024-1709), underscores the urgent need for heightened vigilance and proactive measures to safeguard against ransomware threats.

While the FBI has taken steps to disrupt BlackCat’s operations, including dismantling its Tor negotiation and leak sites, the group persists. The State Department has offered substantial rewards for information leading to the identification or location of BlackCat leaders, emphasising the severity of the threat posed by ransomware groups.