HHS’ Cybersecurity Division publishes advisories on three ransomware threats.
The healthcare sector remains a target for ransomware cyberattacks, with three new hacker groups emerging this year.
The US Department of Health and Human Services (HHS) Health Sector CyberSecurity Center (HC3) has issued an alert and two analyst notes citing three attackers who are infiltrating organizations’ computer networks and storing data for payment.
Royal is a human-run program that was first observed in September of this year and is becoming more common, according to HC3. Ransom demands ranged from $250,000 to over $2 million, and “Royal should be considered a threat” to healthcare and public health (HPH).
“Royal is an operation that appears to consist of experienced actors from other groups, as elements have been observed from previous ransomware operations.” . December.
The group embed malicious links in malvertising, phishing emails, fake forums, blog comments, and in Google ads along with malicious installer files on legitimate looking software websites.
Cuba ransomware is not known to be associated with the Republic of Cuba. But it’s a threat to the HPH sector, which HC3 says has infected at least 65 critical infrastructure organizations in the last year. The agency noted that the FBI and the Federal Cybersecurity & Infrastructure Security Agency (CISA) issued a joint alert stating that Cuba compromised more than 100 companies worldwide, demanded more than $145 million and received more than $60 million in ransom payments .
Cuba “continues to compromise its victims through a variety of software vulnerabilities, phishing, stolen credentials and legitimate remote desktop protocols,” the HC3 alert said. “The group is also threatening to publicly release the exfiltrated data if no payment is made.
“Due to the historical nature of their focus and the frequency with which ransomware gangs victimize the larger healthcare community, organizations should maintain awareness of the threat group’s activities,” the alert reads.
Lorenz is a human-operated ransomware that has been engaged in “big game hunting” or targeting larger organizations in English-speaking organizations for about two years. Ransom demands can amount to hundreds of thousands of dollars.
Relatively little is known about Lorenz, who runs a data leak site, but “her leaking process is atypical,” according to the HC3 analyst note. If victims don’t pay, Lorenz can sell stolen data to other threat actors or competitors, then release password-protected data, then make complete archives available to anyone.
HC3 has recommended the following measures to protect the organization’s cybersecurity:
- Protect every account with complex, unique passwords. Use a passphrase and/or a complex combination of letters, numbers, and symbols.
- In general, avoid opening unsolicited email from senders you do not know.
- Don’t open a link or attachment in an email unless you’re sure it’s from a legitimate source.
- Do not download or install programs unless you fully trust the publisher.
- Do not visit unsafe websites or click on pop-up windows that promise free programs that perform useful tasks.
HC3 has additional details on the hackers’ methods and signs of compromise. This agency and CISA provide online resources for HPH and other organizations on the latest threats and ways to improve computer network security.