FBI Warns US Healthcare Sector of Targeted BlackCat Ransomware Attack

February 28, 2024NewsroomRansomware / Healthcare

BlackCat Ransomware Attacks

The US government has warned about a resurgence of the BlackCat (aka ALPHV) ransomware attack that targeted the healthcare sector earlier this month.

“Since mid-December 2023, of the nearly 70 leaked victims, the health care sector is the most common victim,” the government said. SAYS in an updated advisory.

“This is likely in response to the ALPHV/BlackCat manager’s post urging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The advisory comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of its dark leak sites. But the removal turned out to be a failure after the group was able to regain control of the sites and transferred to a new TOR data leak portal that continues to remain active to this day.

It has also advanced against critical infrastructure organizations in recent weeks, claiming responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and a subsidiary of UnitedHealth Group. Optimum.

The development prompted the US government to announce financial rewards of up to $15 million for information leading to the identification of key members as well as associates of the e-crime group.


BlackCat’s ransomware spree coincides with LockBit’s return following similar disruption efforts led by the UK’s National Crime Agency (NCA) last week.

According to a report from SC Magazine, threat actors breached Optum’s network by exploiting recently disclosed critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software.

Bugs, which allow for remote code execution on vulnerable systems, have also been created ARMS by Black Basta and Bl00dy ransomware gangs as well as other threat actors to deliver Cobalt Strike Beacons, XWorm, and even other remote management tools such as Atera, Syncro, and another ScreenConnect client.

Attack surface management firm Censys said it has observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, most of which are located in the US, Canada, the UK, Australia, Germany, France, India, the Netherlands, Turkey , and Ireland.

BlackCat Ransomware

“It’s clear that remote access software like ScreenConnect continues to be a prime target for threat actors,” Censys security researcher Himaja Motheram said. SAYS.

The findings come as ransomware groups such as RansomHouse, Rhysida, and a variant of Phobos called Backmydata continued on compromise various organizations in the US, UK, Europe, and the Middle East.

In a sign that these cybercrime groups are moving to more nuanced and sophisticated tactics, RansomHouse has developed a custom tool called MrAgent to deploy file-encrypting malware at scale.


“MrAgent is a binary designed to be used on (VMware ESXi) hypervisors, with the sole purpose of automating and tracking ransomware deployment in multiple environments with multiple hypervisor systems,” Trellix SAYS. MrAgent details first came to light in September 2023.

Another key tactic adopted by some ransomware groups is to sell direct access to the network as a new method of monetization through their own blogs, Telegram channels, or data leak websites, KELA SAYS.

It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which emerged in December 2023 on underground forums and has since been made free on BreachForums by its creator.

BlackCat Ransomware

“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems,” SentinelOne researcher Jim Walter SAYS.

“It is likely to increase the attractiveness and usefulness of the ransomware creator, bringing in more low-skilled participants in the cybercrime ecosystem.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment