Data Hack Harkens Back to Bank Robberies

Data Hack Harkens Back to Bank Robberies

The recent data breach at Change Healthcare calls to mind the famous bank robber Willie Sutton, a.k.a. “Willie The Actor,” known for disguising himself a messenger, window cleaner, or bank guard.

In a document received at RACmonitor titled #StopRansomeware: ALPHV Blackcat, penned by what is being called a joint Cybersecurity Advisory (CSA), the authors describe in military terms how Blackcat actors pose as company IT or helpdesk staff, using phone calls or text messages to obtain credentials from employees in order to gain access to the intended network.

According to the document, the ALPHV Blackcat affiliates also are known to use other software to “live-chat” with victims to “convey demands and initiate processes to restore the victims’ encrypted files.”

The Feb. 21 data breach at Change Healthcare – now owned by UnitedHealth Group – was reported to have raised havoc among doctors, pharmacies, and hospitals, as well as patients.

Among other actions taken by the U.S. Department of Health and Human Services (HHS) was the temporary waiving of prior authorizations, and allowing Medicare contractors to accept paper bills from hospitals and physicians.

According to media reports, Change Healthcare – acting as a clearinghouse that connects physicians, pharmacies, and hospitals to insurers for the payment of medical services – is purported to process 15 billion healthcare transactions annually.  

According to the CSA, ALPHV Blackcat affiliates “have extensive networks and experience with ransomware and other data extortion operations.”

News reports also confirm that UnitedHealth Group said the ransomware attack was, in fact, attributed to ALPHV Blackcat.

After gaining access to the victim’s network, the bad actors deploy access software in preparation of data exfiltration. They are also known to create user accounts for domain access.

According to the CSA, the bad actors are known to also use legitimate remote access and tunneling tools, such as Plink and Ngrok. The CSA also notes that ALPHV Blackcat affiliates claim to use Brute Ratel C4 (S1063) and Cobalt Strike as beacons to control servers.

Then, during the attack, according to the CSA, ALPHV Blackcat affiliates use the open-source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to march

laterally throughout the network.

According to CSA, to evade detection, they employ listed applications such as Metasploit. Once installed on the domain controller, the logs are cleared on the exchange server. Then Mega.nz or Dropbox are used to move, exfiltrate, and/or download victim data. The ransomware is then deployed, and the ransom note is embedded as a file.txt. According to public reporting, affiliates have additionally used POORTRY and STONESTOP to terminate security processes.

Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates are known to communicate with victims via TOR, Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s system.

It’s been reported that ALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with “vulnerability reports” and “security recommendations,” detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment. The ALPHV Blackcat encryptor results in a file with the following naming convention: RECOVER-(seven-digit extension) FILES.txt.

According to most media accounts, last year approximately one in three Americans were impacted by healthcare data breaches.

And why healthcare?

To quote the notoriously infamous Willie Sutton, when asked why he robbed banks, he is said to have replied, “Because that’s where the money is.”

Print Friendly, PDF & Email
Facebook
Twitter
LinkedIn

Chuck Buck

Chuck Buck is the publisher of RACmonitor and is the program host and executive producer of Monitor Monday.

Related Stories

Remain Compliant – and Take the Money

Remain Compliant – and Take the Money

Our first topic today is local coverage determinations (LCDs) and variation. I have written in the past about national and local coverage determinations, and I

Read More

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets

Explore the top-10 federal audit targets for 2024 in our webcast, “Top-10 Compliance Risk Areas for Hospitals & Physicians in 2024: Get Ahead of Federal Audit Targets,” featuring Certified Compliance Officer Michael G. Calahan, PA, MBA. Gain insights and best practices to proactively address risks, enhance compliance, and ensure financial well-being for your healthcare facility or practice. Join us for a comprehensive guide to successfully navigating the federal audit landscape.

February 22, 2024
Mastering Healthcare Refunds: Navigating Compliance with Confidence

Mastering Healthcare Refunds: Navigating Compliance with Confidence

Join healthcare attorney David Glaser, as he debunks refund myths, clarifies compliance essentials, and empowers healthcare professionals to safeguard facility finances. Uncover the secrets behind when to refund and why it matters. Don’t miss this crucial insight into strategic refund management.

February 29, 2024
2024 SDoH Update: Navigating Coding and Screening Assessment

2024 SDoH Update: Navigating Coding and Screening Assessment

Happy World Health Day! Our exclusive webcast is just $99 for a limited time! Use code WorldHealth24 at checkout before April 12th to claim this discount.

Dive deep into the world of Social Determinants of Health (SDoH) coding with our comprehensive webcast. Explore the latest OPPS codes for 2024, understand SDoH assessments, and discover effective strategies for integrating coding seamlessly into healthcare practices. Gain invaluable insights and practical knowledge to navigate the complexities of SDoH coding confidently. Join us to unlock the potential of coding in promoting holistic patient care.

May 22, 2024
2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

2024 ICD-10-CM/PCS Coding Clinic Update Webcast Series

HIM coding expert, Kay Piper, RHIA, CDIP, CCS, reviews the guidance and updates coders and CDIs on important information in each of the AHA’s 2024 ICD-10-CM/PCS Quarterly Coding Clinics in easy-to-access on-demand webcasts, available shortly after each official publication.

April 15, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

Happy World Health Day! Our exclusive webcast, ‘2024 SDoH Update: Navigating Coding and Screening Assessment,’  is just $99 for a limited time! Use code WorldHealth24 at checkout.

SPRING INTO SAVINGS! Get 21% OFF during our exclusive two-day sale starting 3/21/2024. Use SPRING24 at checkout to claim this offer. Click here to learn more →