According to a report from Reuters, the Blackcat ransomware gang is behind a massive ransomware attack that has impacted prescription deliveries throughout the United States.
Last week, bad actors reportedly gained access to systems owned by Change Healthcare, a prescription processor that is part of a subsidiary owned by UnitedHealth Group. The company immediately reported the breach in a filing with the U.S. Securities and Exchange Commission (SEC).
“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” Change Healthcare wrote in an online statement. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect.”
The outages were expected to continue through February 26th.
What is the Blackcat Ransomware Group?
Blackcat, also known as ALPHV or Noberus, is a ransomware-as-a-service (RaaS) gang. RaaS organizations rent malicious software to other bad actors in exchange for a portion of ransoms or stolen data.
In December 2023, the Department of Justice (DOJ) announced the disruption of several ALPHV/Blackcat ransomware variants and provided free decryption tools for some victims.
In response, Blackcat announced that it no would no longer restrict its malware from being used in attacks on key infrastructure, including healthcare providers and power plants.
Other Blackcat/ALHPV attacks have included:
- Attacks on Bandai Namco, a video game publisher.
- An attack on MGM Resorts ,which may have started with infiltration via basic social engineering.
- A hack of the social media website Reddit, during which ALPHV demanded $4.5 million and changes to the company’s controversial API pricing.
How does Blackcat ransomware spread?
The group typically uses social engineering tactics to gain access to a system, then deploys ransomware.
Bad actors may pose as staff and use phone calls, text messages, or emails to obtain legitimate credentials from a target. After gaining access to the network, the actors will use remote access software (such as AnyDesk, Splashtop, or Mega sync, but not limited to those applications).
Often, ALHPV actors will offer to provide “cyber remediation” advice to victims as part of the exchange for payment — “vulnerability reports” that explain how they were able to successfully penetrate the system.
Change Healthcare has indicated that key systems will be restored within the next several days.
Even so, the attack is a stark reminder that bad actors have few limits (if any). Ransomware groups may attack national pharmacies, public schools, non-profits, and any other targets that seem profitable.
Datarecovery.com provides an array of ransomware services to help businesses fight back against malicious software. From ransomware recovery to penetration (PEN) testing, disaster recovery deployment, and ransomware investigation, we’re dedicated to providing solutions supported by decades of experience.
To learn more, submit a case online or call 1-800-237-4200 to speak with an expert.