The Health Sector Cybersecurity Coordination Center released a threat briefing about LockBit, a ransomware group that has recently debuted a new variant.
The hackers were behind the widely publicized attack on Accenture this summer, in which the company reportedly faced $50 million in ransom.
“Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion,” wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief.
WHY IT MATTERS
As outlined by HC3, LockBit launched in September 2019, before beginning to advertise its “ransomware as a service” affiliate program in January 2020.
It began working with Maze, another ransomware gang, in May 2020 and created its own leak site in September of that year. Then, in June of this year, LockBit v2.0 emerged.
Now, said HC3, it uses a double extortion technique via StealBit malware. It includes faster encryption and bypasses user account control mechanisms.
It also restarted its affiliate program, in which affiliates set the ransom, choose the method of payment and collect the lion’s share of the ransom before paying the gang.
The program doesn’t work in Commonwealth of Independent States countries: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan or Uzbekistan.
The agency observed, based on an interview with a LockBit ransomware operator, that the bad actors appeared to have a “contradictory code of ethics.”
Hospitals are considered easy targets, said HC3, but the LockBit affiliate portrayed “a strong disdain for those who attack healthcare entities, while displaying conflicting evidence about whether he targets them himself.”
“The U.S. also has lucrative targets, but with data privacy laws requiring victim companies to report all breaches, the incentive for such entities to pay the ransom is likely somewhat reduced,” said HC3.
The agency also noted that many cybercriminals rely on open-source tools readily available online.
“Cybercriminals are avid consumers of security news and remain up to date on the latest research and vulnerabilities, weaponizing that information to use in future attacks,” it wrote.
THE LARGER TREND
But the alerts haven’t stemmed the tide of ransomware news. Just this past month Hive attacked a Missouri health center and posted patient names, Social Security numbers and medical information on its blog.
ON THE RECORD
“While threat actors may state publicly that their personal ethics influence their target selection, many adversaries go after the easiest victims regardless of any moral obligation, based on our experience,” said HC3.