HHS’ cybersecurity wing publishes notices on three ransomware threats.
The health care sector remains a target for ransomware cyberattacks, with three new hacking groups emerging this year.
The U.S. Department of Health and Human Services’ (HHS) Health Sector CyberSecurity Center (HC3) has published an alert and two analyst notes naming three attackers that infiltrate organizations’ computer networks and hold data for pay.
Royal is a human-operated program first observed in September this year and increasing in appearances, according to HC3. Ransom demands have ranged from $250,000 to more than $2 million and “Royal should be considered a threat” to the health care and public health (HPH) sector.
“Royal is an operation that appears to consist of experienced actors from other groups, as there have been observed elements from previous ransomware operations.” It appears to be a private group with financial motivation as the goal, said the HC3 analyst note of Dec. 7.
The group has embedded malicious links in malvertising, phishing emails, fake forums, blog comments, and in Google ads and with malicious installer files on software sites that look legitimate.
Cuba ransomware is not known to be connected with the Republic of Cuba. But it is a threat to the HPH sector, infecting at least 65 organizations in critical infrastructures in the last year, according to HC3. The agency noted the FBI and federal Cybersecurity & Infrastructure Security Agency (CISA) have released a joint alert stating Cuba compromised more than 100 entities worldwide, demanding more than $145 million and receiving more than $60 million in ransom payments.
Cuba “has continued to compromise their victims through a variety of software vulnerabilities, phishing, stolen credentials, and legitimate remote desktop protocols,” the HC3 alert said. “The group also threatens to publicly release the exfiltrated data if a payment is not made.
“Due to the historical nature of their targeting and the frequency with which ransomware gangs victimize the greater healthcare community, organizations should maintain awareness of the threat group’s activity,” the alert said.
Lorenz is human-operated ransomware that has been operating about two years in “big game hunting,” or targeting larger organizations in English-speaking organizations. Ransom demands can total in the hundreds of thousands of dollars.
Relatively little is known about Lorenz, which operates a data leak site, but “their leaking process is non-typical,” the HC3 analyst note said. If victims don’t pay, Lorenz may sell stolen data to other threat actors or competitors, then release password-protected data, then make full archives available for anyone.
HC3 has recommended the following actions to help protect organization cybersecurity:
HC3 has additional details about the hackers’ methods and signs of compromise. That agency and CISA offer online resources about the latest threats and ways to enhance computer network security for HPH and other organizations.