HHS Warns Healthcare Sector of LockBit 3.0, BlackCat Ransomware

December 14, 2022 - The HHS Health Sector Cybersecurity Coordination Center (HC3) issued two new analyst notes detailing the tactics and indicators of compromise for LockBit 3.0 and BlackCat. The LockBit ransomware family and the BlackCat ransomware variant have been observed targeting the healthcare sector.

Healthcare organizations should remain vigilant and apply recommended mitigations to reduce risk.

LockBit 3.0

LockBit 3.0 is the latest iteration of LockBit ransomware family, which has been targeting organizations since at least September 2019. HC3 and the Federal Bureau of Investigation (FBI) have released multiple alerts and analyst notes regarding LockBit.

Recently, the Department of Justice (DOJ) announced that it charged a dual Russian and Canadian national for his alleged involvement in the global LockBit ransomware campaign.

LockBit 3.0, also known as LockBit Black, was first observed in June 2022 using a new triple extortion model rather than its typical double extortion tactic, the analyst note explained. The threat actor often requests payment to decrypt data, threatens to release sensitive data, and asks the victim to purchase their sensitive information back from the threat actor. LockBit operates with a Ransomware-as-a-Service (RaaS) model.

“HC3 is aware of LockBit 3.0 attacks against the Healthcare and Public Healthcare (HPH) sector,” HC3 noted. “Due to the historical nature of ransomware victimizing the healthcare community, LockBit 3.0 should be considered a threat to the HPH sector.”

LockBit 3.0 has proven to be a challenge for security researchers and analysts, largely due to the fact that the malware sometimes requires a unique 32-character password every time it is launched, “giving it anti-analysis features,” HC3 explained.

“On previous compromises in the HPH sector, the threat actor has occasionally shared proof via screenshots that the network has been compromised and will threaten to publish the stolen data after a set timeline,” the analyst note continued.

HC3 included links to security research with detailed indicators of compromise and urged the healthcare sector to defend against other common attack vectors, such as phishing or remote desktop protocol (RDP) compromises.

BlackCat

BlackCat, also known as ALPHV or Noberus, is a highly sophisticated ransomware variant that has been active since November 2021 and operates under a RaaS model. Researchers believe that BlackCat is a successor to the notorious REvil, BlackMatter, and Darkside ransomware operators.

“It is exceptionally capable and is believed to be operated by individuals with significant experience as cyber criminals, who have extensive relationships with other significant players throughout the cybercriminal ecosystem,” the analyst note continued.

“BlackCat is known to have targeted the healthcare and public health (HPH) sector and is expected to continue. The HPH should take this threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.”

BlackCat is highly customizable and is constantly being upgraded, making it a serious and dynamic threat to potential victims. HC3 described the variant as “one of the more adaptable ransomware operations in the world.”

“Like all ransomware-as-a-service (RaaS) operations, the BlackCat operators recruit affiliates to perform corporate breaches and encrypt devices, while retaining code maintenance and development responsibilities for themselves,” researchers noted.

BlackCat may be configured to use full file, DotPattern, Fast, or SmartPattern encryption. BlackCat can also be configured with domain credentials in order to distribute ransomware.

The FBI and HC3 recommended that organizations safeguard against common attack vectors and implement mitigations such as multifactor authentication and network segmentation. Organizations should also disable unused remote access, audit user accounts with administrative privileges, and review antivirus logs.