Tag Archive for: GROUP

UnitedHealth Group Confirms ALPHV Ransomware Gang Is Behind Attack


Insurance giant UnitedHealth Group is officially blaming a notorious ransomware group for a major outage that’s been preventing healthcare providers from processing prescriptions. 

The company issued the update as its subsidiary Change Healthcare is still struggling to restore services, a week after suffering the attack, which has ensnared IT systems at hospitals and pharmacies across the country.

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” the company said on Thursday. 

The statement clarifies that the attack isn’t exactly from a “suspected nation-state” actor, as UnitedHealth Group initially said. Instead, ALPHV is more of a cybercriminal group, although its members are likely based in Russia. 

The company issued the confirmation a day after ALPHV took to its own site on the Dark Web and claimed responsibility for the attack on Change Healthcare. In some potentially bad news for users, the ransomware gang claims to have stolen 6TB or 6,000GB of data from United Healthcare during the attack. 

“Change Healthcare production servers process extremely sensitive data to all of UnitedHealth clients that rely on Change Healthcare technology solutions. Meaning thousands of healthcare providers, insurance providers, pharmacies, etc,” the group alleged.

As a result, the stolen data encompasses patient medical records, along with other sensitive user information, such as phone numbers, email addresses, and Social Security numbers, the gang claims. Change Healthcare also serves military hospitals, so data on US service members was apparently stolen as well.

Recommended by Our Editors

Interestingly, ALPHV appears to have taken down its original post about stealing data from UnitedHealth Group, which suggests the insurance provider may have paid the ransom.

UnitedHealth Group didn’t respond to a request for comment. In the meantime, the company’s statement notes: “Our experts are working to address the matter and we are working closely with law enforcement and…

Source…

Ransomware group Blackcat is behind cyberattack on UnitedHealth division, company says – NBC New York


  • Change Healthcare on Thursday confirmed that the ransomware group Blackcat is behind the ongoing cybersecurity attack that’s been impacting its systems since last week.
  • The attack has caused widespread disruptions to pharmacies and health systems across the U.S.
  • “We are actively working to understand the impact to members, patients and customers,” said Change Healthcare, which is owned by UnitedHealth.

Change Healthcare on Thursday confirmed that ransomware group Blackcat is behind the ongoing cybersecurity attack that’s caused widespread disruptions to pharmacies and health systems across the U.S.

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants,” Change Healthcare told CNBC in a statement Thursday. “We are actively working to understand the impact to members, patients and customers.”

The company said it’s working with Mandiant, which is owned by Google, and cybersecurity software vendor Palo Alto Networks.

In a since-deleted post on the dark web, Blackcat said Wednesday that it was behind the attack on Change Healthcare’s systems. The group said it managed to extract six terabytes of data, including information like medical records, insurance records and payment information.

Change’s parent company UnitedHealth Group said it discovered that a cyber threat actor breached part of the unit’s information technology network on Feb. 21, according to a filing with the SEC. UnitedHealth isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said, but it didn’t disclose the nature of the attack or exactly when it took place.

Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December release from the U.S. Department of Justice. Blackcat has compromised computer networks across the U.S. and the globe, amounting to hundreds of millions of dollars in losses, the release said. 

Change Healthcare offers tools for payment and revenue cycle management that help facilitate transactions like reimbursement payments. In 2022, it merged with the…

Source…

Hacker group hides malware in images to target Ukrainian organizations


A group of attackers targeting Ukraine-affiliated organizations has been delivering malicious payloads hidden within the pixels of image files. Known as steganography, it is just one of many advanced techniques the group uses to evade detection as part of a malware loader known as IDAT.

Tracked as UAC-0184 by several security firms, as well as the Computer Emergency Response Team of Ukraine (CERT-UA), the group was seen targeting Ukrainian servicemen via phishing emails masquerading as messages from Ukraine’s ​​3rd Separate Assault Brigade and the Israeli Defense Forces (IDF). While most of the recipients of these messages were located in Ukraine, security firm Morphisec has confirmed targets outside of the country as well.

“While the adversary strategically targeted Ukraine-based entities, they apparently sought to expand to additional entities affiliated with Ukraine,” researchers said in a new report. “Morphisec findings brought to the forefront a more specific target — Ukraine entities based in Finland.” Morphisec also observed the new steganography approach in delivering malicious payloads after the initial compromise.

Staged malware injection ends with Remcos trojan

The attacks detected by Morphisec delivered a malware loader known as IDAT or HijackLoader that has been used in the past to deliver a variety of trojans and malware programs including Danabot, SystemBC, and RedLine Stealer. In this case, UAC-0184 used it to deploy a commercial remote access trojan (RAT) program called Remcos.

“Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders,” the Morphisec researchers said. “It employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection. The infection process of IDAT unfolds in multiple stages, each serving distinct functionalities.”

The infection happens in stages, with the first stage making a call to a remote URL to access a .js (JavaScript) file. The code in this file tells the executable where to look for an…

Source…

LockBit ransomware group back online after international police disruption


Russian-based ransomware gang, Lockbit, said it has restored its servers and is back online following an international police operation last week that took it offline.

LockBit said law enforcement breached their dark website by exploiting a PHP programming language vulnerability, commonly used for building websites and online applications.

“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement posted on LockBit’s dark website, as reported by Reuters.

A spokesperson for the UK’s National Crime Agency (NCA), who led the international operation against LockBit, said the group remains ‘completely compromised’.

The NCA added the Agency recognised LockBit would likely attempt to regroup and rebuild its systems to facilitate their return online.

“However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues,” said the NCA.

The Russia-based group’s new site advertised a small number of alleged victims and leaked data. The new site showcased a gallery of company names alongside a countdown clock indicating the ransom payment deadline.

LockBit’s alleged leader, LockBitSupp, announced the ransomware group’s intensified focus on targeting government agencies following the takedown operation. Recently, reports have surfaced that LockBit has attacked Ernest Health, a network of 36 rehabilitation and critical care recovery hospitals spanning 13 US states.

“LockBit is back to attacking hospitals, Ernest Health allegedly breached,” said Dominic Alvieri on X (formerly Twitter).

Businesses Urged to Remain Vigilant

Vice President of Threat Research and Intelligence at BlackBerry Cybersecurity, Ismael Valenzuela, said the takedown of LockBit represented a positive step forward in curbing ransomware. However, the relaunch of its servers has ‘made it clear that victories are likely to be short-lived’. 

“Ultimately, LockBit’s absence will only create a vacuum for others to fill, particularly those who are already active yet largely unidentified,” said Valenzuela.

Valenzuela…

Source…