Tag Archive for: threatens

New Ransomware Actor Threatens Change Healthcare

/in


UnitedHealth Group’s Change Healthcare is facing a second extortion demand following a February ransomware attack that sent shockwaves across the sector.

When the cyber crime group BlackCat first hit the health technology and payments processing giant, the effects left patients struggling to get care and health-care providers struggling to stay afloat financially. Change Healthcare reportedly paid off the ransomware attackers in March, but now the company must decide how to respond to claims from another ransomware group, RansomHub, which says it has 4 TB of stolen data, per The Register.

That data allegedly includes personally identifying information on patients and active military personnel, as well as medical and dental records, payments and claims information and source code files for Change Healthcare software solutions, per SC Media.


Researchers have posed several theories on how RansomHub could have gotten this data, if its claims are true.

Some suggest BlackCat may have reformed under a new name and is seeking a second payout. Others suggest that former BlackCat affiliates — stiffed by BlackCat developers on their share of the original extortion — held onto the stolen data and joined up with RansomHub, The Register reports. A conversation posted by a malware resource sharing group, if genuine, adds some weight to the latter theory, per SC Media.

Possibly, RansomHub could have separately compromised Change Healthcare. A researcher told SC Media that it is not uncommon for responders to a cyber incident to discover several threats inside a victim’s compromised environment.

Records of blockchain transactions linked to BlackCat, as well as claims on criminal forums, suggest Change Healthcare made a $22 million payment to the ransomware gang, although the company has not confirmed.

BlackCat operated with a ransomware-as-a-service model, in which developers create malicious code and affiliates then gain access to victim networks and deploy that ransomware. If victims pay, developers and affiliates each take cuts of the earnings.

In the case of Change Healthcare, however, BlackCat may have made off with the…

Source…

Ransomware group threatens to leak Stanford police data

/in


Notorious ransomware gang ‘Akira’ listed Stanford University on the darknet as the target of a ransomware attack on Friday morning. Screenshots of the listing were shared on other parts of the internet, including the r/stanford subreddit and on X (formerly Twitter) by cyber risk analyst Brett Callow. 

University spokesperson Luisa Rapport confirmed “this is the same as the SUDPS cybersecurity incident” previously covered by The Daily. 

Akira claims to hold 430 gigabytes of internal data, including private information and confidential documents. They threatened to leak the information online if the University did not pay an unspecified ransom. The Stanford University Department of Public Safety processes and stores data on personnel, case reports, risk evaluations and crime involving students, faculty and other community members. It is unclear at this point how much of this data was lost or encrypted by this ransomware. 

The University wrote in a Friday statement that “there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies.” According to the statement, “the investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community.”

The Akira listing describes Stanford as “known for its entrepreneurial character.” The group threatened that, “Soon the university will be also known for 430Gb of internal data leaked online. Private information [and] confidential documents.”

Chris Hoofnagle, law professor and director of the Center for Law & Technology at the University of California, Berkeley, wrote to The Daily that attackers interested in police entities are sometimes “a nation state or organized crime” group. 

“The first steps of identifying the scope of the breach can be quite expensive and time consuming. Almost all entities hire outside forensic firms to do the analysis,” Hoofnagle wrote.

He wrote it was “best practice” to limit information until there was information on the full scope of the breach and the network was secure. “Institutions do not want to get into a drip situation where they notify…

Source…

Ransomware attack threatens to expose McLaren Health patient data

/in


Michigan Attorney General Dana Nessel warned this week a cyberattack against McLaren Health Care could affect a large number of patients.

McLaren Health, a healthcare system with 15 Michigan hospitals, was hit by a ransomware attack in August, according to the attorney general’s office. Ransomware, a type of malware that can shut down an entire network, is used to steal data before encrypting the system. The stolen information is then held hostage until a ransom is paid.

“This attack shows, once again, how susceptible our information infrastructure may be,” Nessel said in a statement. “Organizations that handle our most personal data have a responsibility to implement safety measures that can withstand cyber-attacks and ensure that a patient’s private health information remains private.”

A cybercriminal group called ALPHV, or BlackCat, claimed responsibility for stealing the sensitive personal health information of 2.5 million McLaren patients, a news release said. But the actual number of affected patients and the type of health information remains unknown.

ALPHV claimed in a message posted to the dark web last week the McLaren data was on the dark web and would be released in a few days unless a ransom payment was received. The group is also linked to the data breach at MGM Resorts that is reportedly costing $100 million.

McLaren shared a statement saying, “we are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible.”

The healthcare group also said it found no evidence the cybercriminals still have access to the IT system. McLaren has brought in security experts and is working with law enforcement, a news release said.

“Protecting the security and privacy of data in our systems is a top organizational priority, so we immediately launched a comprehensive investigation to understand the source of the disruption and identify what, if any, data exposure occurred,” McLaren said.

Nessel encouraged McLaren patients to protect their data and know the warning signs when someone is using private medical information:

  • A doctor’s bill for services you did not…

Source…

Agenda ransomware threatens to resurface

/in


Stephen Osler, co-founder and business development director, Nclose.

Stephen Osler, co-founder and business development director, Nclose.

The Agenda ransomware, which quickly gained notoriety for being able to trigger customised ransomware attacks at intended targets, is on the radar again. Cyber security experts warn of the threat to South African sectors, particularly healthcare and education.

Agenda was created in the Go open source programming language (Golang) developed by Google. It was first detected in late 2022 in Indonesia, Thailand, Saudi Arabia, and South Africa, but seemed to have become dormant – until now.

According to market research by Trend Micro there have been a few incidents at the beginning of 2023, serious enough for cyber security experts to issue another warning that organisations cannot afford to let their guard down.

This is mainly because of the ransomware’s sophisticated capabilities. They enable Agenda to bypass antivirus processes, change passwords, encrypt data, and gain unauthorised access to systems using new credentials. If undetected and not contained, it has the potential to bring down networks, says Trend Micro.

Stephen Osler, co-founder and business development director at cyber security specialist Nclose, says as is the case with most ransomware tools, Agenda takes advantage of poor security practices, weak passwords, and inadequate system patching.

It also has built-in tools and algorithms that enable it to encrypt files using a string of random characters as a file extension. This file contains a ransom note detailing threats or leaks of sensitive information if the ransom isn’t paid. It also includes warnings of additional consequences if attempts are made to decrypt the files.

“So, the severity is high, and threat is high from the start,” says Osler.

South Africa a prime target

South Africa has consistently been the primary target for ransomware and business e-mail compromise among African countries, Nclose notes.

The company refers to the latest State of Ransomware report by Sophos, which states that 78% of the South African companies surveyed reported being subjected to a ransomware attack in the past year. This represents a notable increase from the 51% reported in the…

Source…