author photo
By Cam Sivesind
Thu | Feb 29, 2024 | 12:43 PM PST

Change Healthcare, a major provider of IT services to hospitals, continues to battle the BlackCat ransomware syndicate. BlackCat's administrator recently posted a note encouraging its members to target hospitals, specifically, according to U.S. authorities.

The FBI and CISA have labeled BlackCat one of the most prolific and damaging ransomware groups currently active. Using the ransomware-as-a-service model, BlackCat developers sell access to their malware tools in exchange for a cut of ransoms extracted from victims. This decentralized approach allows them to cast a wide net.

BlackCat has made the healthcare industry a prime target over the past year, victimizing providers, insurers, and now healthcare IT suppliers like Change Healthcare, a unit of Optum. By attacking key healthcare IT infrastructure, the ripple effects spread widely. Change Healthcare supports critical services like medical record storage along with revenue cycle and payment processing. With these systems compromised, care delivery across the U.S. has faced added friction and delays.

An April 2022 attack had far-reaching impacts, hampering operations for scores of Change Healthcare customers. BlackCat leveraged the sensitive data stolen in the breach to demand huge ransom payments.

Interestingly enough, recent BlackCat threats are in response to a groundbreaking move against cybercrime. The FBI executed a covert operation to infiltrate the notorious BlackCat ransomware group, also recognized under the alias ALPHV. The strategic maneuver not only disrupted their malicious activities but also led to the decryption of systems belonging to more than 500 victims.

In a LinkedIn comment regarding a blog post about BlackCat's retaliatory move on HealthcareInfoSecurity, Krista Arndt, CISO at United Musculoskeletal Partners, said: "Retaliation is so much fun. (Insert sarcasm here). But the health sector community is strong and we stand together. This too shall pass, but not without some good war stories and battle scars."

In a follow-up email exchange with SecureWorld News, Arndt added: "It's important to stay as positive as possible in the face of what often feels like an unwinnable war. The obstacles we weather as a community help us learn, grow, and continue to refine our individual and collective security strategies. Through it all, we never lose sight of our mission, our patients, and their well-being." 

BlackCat had established itself as a formidable player in the ransomware landscape. Infamous for deploying sophisticated encryption techniques, the group targeted a wide range of organizations, encrypting their data and demanding hefty ransoms for its release. Victims spanned industries, from healthcare to finance, causing substantial disruption and financial losses.

[RELATED: Ransomware's Impact on the Healthcare Field and Patient Trust]

In a move reminiscent of a cyber espionage thriller, the FBI managed to infiltrate the inner workings of the BlackCat ransomware group. The operation involved undercover agents posing as affiliates within the criminal organization. By gaining the trust of the hackers, the FBI not only monitored their activities but also gained crucial insights into their infrastructure, tactics, and communication channels.

The most significant outcome of the operation was the successful decryption of systems belonging to more than 500 BlackCat victims. These organizations, previously held hostage by the insidious ransomware, were suddenly liberated from the clutches of the cyber threat. The FBI's intervention not only prevented further financial extortion but also potentially saved countless businesses from reputational damage and operational disruption.

In a bold move, the FBI seized control of BlackCat's data leak site, a platform where the ransomware group typically disclosed stolen data from victims who refused to pay the ransom. The action not only disrupted the group's extortion tactics but also safeguarded sensitive information from being weaponized against the victims.

Furthermore, the FBI took control of the group's Tox instant messaging account, a platform used for communication between the cybercriminals and their victims. The measure not only disrupted their operational capabilities but also provided law enforcement with valuable intelligence for future investigations.

In response to the retaliatory attack, the FBI and CISA have helped Change Healthcare assess the breach's scope and are coordinating incident response. But information remains limited on what data was actually stolen or encrypted. Without full insight, it is impossible for downstream healthcare entities to understand their risk exposure through Change Healthcare's vendor portal.

Shawn Tuma, Partner at Spencer Fane LLP and frequent SecureWorld speaker and instructor, had this to say about the continual battles cybersecurity professionals have with threat actors:

"When speaking of cybersecurity, I often say it is more like warfare than anything else because you do not have a problem that can be fixed but an active adversary on the other side that continually evolves its tactics to find new ways to attack and extort its intended victims. A few years ago, we saw the ransomware threat actors move away from just encrypting their victims' networks toward also stealing sensitive data that they would then use to extort ransom payments by threatening to publicly shame their victims.

Now, we are seeing them escalate this type of extortion pressure tactic by showing they will retaliate against law enforcement efforts to stop them by naming an entire industry as sensitive as healthcare as their intended targets. This will undoubtedly put even more pressure on the healthcare industry as just this week the United States Department of Health and Human Services' Office of Civil Rights announced its second enforcement action settlement against a healthcare organization following a ransomware attack, further adding to the overall harm and risks that healthcare organizations face—from our own government—when they have been the victims of such an attack."

[RELATED: U.S. HHS Rolls Out Healthcare Cybersecurity Strategy]

Violet Sullivan, CIPP/US, CIPM, Adjunct Professor of Cybersecurity & Privacy Law, Baylor Law School, added her perspective:

"Responding to cyber threats like the BlackCat attack on Change Healthcare is a team sport, necessitating a collaborative approach where law enforcement, insurance companies, privacy lawyers, and technology professionals unite to fortify defenses and tackle these sophisticated challenges together.

This incident underscores the double-edged nature of healthcare digitalization: while it advances patient care, it also amplifies the need for advanced understanding and protection against emerging technical cyber threats."

The latest attack continues a recent trend of ransomware groups bringing havoc to U.S. healthcare networks. It exemplifies why the sector's cyber defenses urgently need investment and upgrading. Healthcare is attractive to cybercriminals due to valuable data, staffing shortages, and pressure to restore access quickly. Until root vulnerabilities are addressed, hospitals and partners will keep finding themselves at the mercy of ruthless ransomware syndicates like BlackCat.

We asked some cybersecurity experts from solution vendors for their thoughts.

Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, said:

"ALPHV/BlackCat is one of the most prevalent ransomware threats globally, and the most successful with payouts, according to recent trends. ALPHV has successfully targeted health care, critical infrastructure, and others, with extortion tactics to maximize ransomware payouts using multiple forms of extortion. This actor group continues to innovate both technology and tactics to maintain stealth for survival, optimize monetization, and expand global operations for maximum criminal profit."

Callie Guenther, Sr. Manager, Cyber Threat Research at Critical Start, said:

"The ransomware attack on Change Healthcare by the BlackCat syndicate exemplifies the adaptability and resilience of cybercriminal groups in response to law enforcement actions and shifts in the cybersecurity landscape. This incident highlights the sophisticated tactics employed by groups like BlackCat, who often respond to pressures from successful law enforcement interventions, such as the FBI's infiltration, by going underground, rebranding, or shifting their focus to new sectors. Specifically, the targeting of Change Healthcare, a crucial component of the healthcare IT infrastructure, underscores the strategic focus of these groups on vulnerable sectors to maximize disruption and ransom potential.

The situation with Change Healthcare emphasizes the need for continuous enhancement of cybersecurity defenses, particularly in critical sectors like healthcare, which are increasingly targeted by cybercriminals. It also underscores the importance of a collaborative approach to cybersecurity, involving law enforcement, cybersecurity experts, and industry stakeholders. By working together, sharing intelligence, and implementing robust security measures, there's a stronger chance to protect critical infrastructure and sensitive data against the complex and evolving threats posed by cybercriminal syndicates. This incident serves as a stark reminder of the challenges in the cybersecurity realm and the need for vigilance and cooperation to counteract these threats effectively."

Darren Guccione, CEO and Co-Founder at Keeper Security, said:

"Escalating cyber threats have become a major source of concern for CISOs and IT professionals across industries, and the healthcare sector, in particular, is facing even greater risk due to the critical nature of its infrastructure. Recent targeted attacks by the notorious BlackCat ransomware syndicate on healthcare organizations have elevated the urgency of addressing cybersecurity in the sector, prompting the US government to label BlackCat as one of the most prolific and damaging ransomware groups currently active. Although BlackCat’s public call for members to target hospitals is extremely dangerous, BlackCat is a criminal enterprise and this callous act should not come as a surprise.

The pervasive rise of threats to the healthcare industry not only demands heightened vigilance, but compels healthcare organizations to prioritize and invest in their IT defenses to safeguard the sensitive information they hold. Regulatory compliance is a critical aspect to the healthcare industry, with regulations like HIPAA, OSHA, FWA and others, designed to help protect patient privacy and worker safety.  Data security is a pivotal component of regulatory compliance in healthcare, especially with the widespread use of digital health records. Data regulations can carry a variety of mandates that must be taken seriously, including ensuring that protected health information remains confidential through proper encryption measures, implementing access controls and conducting training for all staff members."