AvosLocker Claims Responsibility For Christus Health Ransomware Attack

May 18, 2022 - Dallas, Texas-based Christus Health faced a ransomware attack later claimed by the AvosLocker ransomware group, The Dallas Morning News reported. Christus Health told the local news outlet that it had successfully identified and blocked the unauthorized activity but has not yet confirmed the specifics of the event.

Christus Health is a non-profit, faith-based health system with facilities in 60 cities across the US, Mexico, Chile, and Colombia.

AvosLocker claimed responsibility for the attack on its dark web leak site, CyberScoop reported. AvosLocker also claimed responsibility for a March cyberattack against McKenzie Health System. The Michigan health system recently began notifying 25,318 individuals of the incident, in which an unauthorized party accessed the health system’s internal systems and removed some files.

“Christus Health recently learned of unauthorized activity on its computer network,” Katy Kiser, Christus Health’s director of external communications and social media, explained in a statement.

“This was quickly identified and blocked by Christus Information Security. At this time, it appears that the incident is limited and didn’t impact any of Christus Health’s patient care or clinical operations. We are working with industry experts to investigate and address the issue. Christus values and is committed to the privacy and security of all those we are privileged to serve.”

The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) released a joint cybersecurity advisory in late March alerting critical infrastructure to the growing presence AvosLocker.

“AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors,” the advisory began.

“AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets. As a result, AvosLocker indicators of compromise (IOCs) vary between indicators specific to AvosLocker malware and indicators specific to the individual affiliate responsible for the intrusion.”

AvosLocker has been known to public victim data on its public leak site if victims refuse to negotiate or pay the ransom. The FBI has also observed the group calling its victims on the phone to negotiate. They have also threatened to execute distributed denial-of-service (DDoS) attacks during these phone calls.

The joint advisory encouraged organizations to implement a recovery plan and maintain multiple copies of sensitive data. Healthcare organizations should also enforce strong password hygiene, use multifactor authentication, and require administrator credentials to install software.

This story will be updated as more information becomes available.