FBI Warns BlackCat/ALPHV Targeting Healthcare Following Takedown Attempt


February 28, 2024

World map

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued an alert warning of a resurgence of BlackCat/ALPHV attacks targeting the healthcare sector.

"Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the alert states.

"This is likely in response to the ALPHV/BlackCat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023."

In December, reports indicated that a law enforcement takedown operation was behind BlackCat/ALPHV’s leaks website outage.

The U.S. government also announced a bounty of as much as $15 million for information leading to the BlackCat/ALPHV operators and affiliates, but these attempts to shutter the gang’s operations was lackluster at best.

“The takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data leak portal that continues to remain active to date,” The Hacker News reports.

“It has also ramped up against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum.”

Takeaway: Ransomware attacks against U.S. healthcare providers cost nearly $80 billion over the past seven years, with 539 reported attacks impacting 10,000 hospitals and clinics with over 52 million records compromised.

While the financial losses are staggering, it’s the impact on patient care that is even more concerning.

In a recent study, 68% of healthcare providers surveyed said ransomware attacks resulted in a disruption to patient care, 43% said data exfiltration during the attack also negatively impacted patient care, 46% noting increased mortality rates and 38% noting more complications in medical procedures following a ransomware attack.

Another recent study concluded that between 2016 and 2021, ransomware attacks contributed to between 42 and 67 patient deaths, with an alarming 33% increase in the death rates of hospitalized Medicare patients.

Factors contributing to negative patient outcomes following ransomware attacks on healthcare providers include temporary suspension emergency services, cancelled medical procedures, downed billing systems, and the need to divert ambulances to other facilities for care.

And it’s not just medical care that is being impacted, but privacy as well. It is estimated that the personal health information (PHI) of over 70 million patients were compromised in 2023 alone.

Ransomware operators leverage this exfiltrated patient data in double extortion schemes targeting patients with a $50 ransom demands to avoid having personal health information (PHI) exposed.  

In 2023, the BlackCat /ALPHV ransomware gang attempted to extort a Pennsylvania healthcare provider by publishing private, compromising clinical photographs of breast cancer patients.

Some patients who have had their medical data exposed in ransomware attacks have even been threatened with swatting, a tactic where false report to law enforcement often elicits an armed response.

While there have been some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall law enforcement has had little impact in disrupting ransomware operations.

Ransomware operators continue to victimize healthcare providers because the sector typically lacks the appropriate budgets and staff to maintain a reasonable security posture.

Attackers also know that an attack that disrupts patient care creates a sense of urgency that attacks on other sectors may not produce. The ransomware operators know that the more pain and potential jeopardy they can inflict in an attack, the higher the potential payout.

We know rogue nations tacitly or directly support and/or control these ransomware operators to an extent, and these attacks are starting to look more and more like state-sponsored terrorism,  

Maybe it’s time we start addressing them as a national security issue instead of a crime problem. Doing so would open a wide array of options for the government to more effectively respond to these attacks.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.