Ignoring the Change Healthcare Attack Invites a Cycle of Disaster
Published 05/21/2024
Originally published by CXO REvolutionaries.
Written by Tamer Baker, CTO in Residence, Zscaler.
You may recall, in February, Change Healthcare announced that threat actors affiliated with BlackCat/ALPHV had breached their organization. The adversaries executed a ransomware attack affecting critical operations in its care authorization and billing portals. Change has not released details on how the threat actors compromised their organization. However, it is not unusual for attackers to breach medical organizations through phishing emails or VPN vulnerabilities. Third-party vendors and supply chain attacks may also offer adversaries easy opportunities to infiltrate healthcare facilities.
To make matters worse, security analysts believe Change Healthcare tried to resolve the problem by paying the attackers $22 million in ransom. This alleged payment, which should have resolved the issue, instead brought more chaos. Let’s examine why.
When dealing with pirates…
“The truth is that with a gentleman I am always a gentleman and a half, and when I have to do with a pirate, I try to be a pirate and a half.”
— Otto von Bismarck
BlackCat/ALPHV is a threat group that (among other things) offers Ransomware-as-a-Service (RaaS). They provide affiliate groups the tools, infrastructure, and support required to perform a cyberattack in return for claiming a percentage of paid ransoms. This distinction is important because it means the people who breached Change Healthcare were using BlackCat/ALPHV services, not core members of the threat group.
On December 19th, 2023, the FBI announced they had disrupted BlackCat/ALPHV ransomware services. To add insult to injury, the FBI replaced the group’s website with a splash page announcing the takedown. Unfortunately, this proved to be a short-lived victory for the federal agency. BlackCat/ALPHV quickly regained control of their infrastructure and declared their intention to retaliate with a vengeance.
Specifically, they announced “Because of their [FBI] actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS [Russia/Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere.” They also said affiliates could keep 90% of ransomware profits going forward.
BlackCat/ALPHV lifting their self-imposed restriction on attacking hospitals and maximizing affiliate rewards made a major attack against the healthcare sector almost inevitable. By February an affiliate threat group breached Change Healthcare and scored a major victory. Bitcoin blockchain analysis indicates Change Healthcare paid the ransom. However, when dealing with criminals there are no guarantees, and unexpected infighting among threat actors scuttled the deal.
The affiliate group that breached Change Healthcare (and controlled the ransomed data) claims BlackCat/ALPHV stole all of the ransom money. They refused to decrypt anything for Change Healthcare. In fact, shortly afterward the affiliate group started publicly listing the healthcare organization’s compromised partners.
BlackCat/ALPHV took down its servers and posted a message to an online forum reading “Everything is off, we decide.” They later changed this message to “GG”. While Change Healthcare continues to deal with the catastrophic fallout of this ransomware attack, threat actors rode off into the sunset $22 million richer.
This series of events should spark industry conversations around the risks of paying ransom. If you’re in the medical sector you need to have a response plan for ransomware attacks, including your position on negotiating with threat actors.
Cybersecurity hope, not hype
Some cybersecurity vendors reacted predictably in the wake of the Change Healthcare ransomware attack. They launched sales meetings, customer outreach, and posted articles about how their solutions would have made a difference. This is an unfortunate part of the ransomware travesty/ambulance chasing cycle that regularly follows these incidents. Yet, you can do a great deal to protect your organization through following a few simple steps.
To make your organization less susceptible to cyberattacks:
- Scan your internal and external traffic for suspicious activity. It is important to use something with visibility into encrypted communications as this makes up about 90% of web traffic. Blocking outbound traffic going to known phishing domains and malicious sites can protect employees who mistakenly trigger cyberattack lures.
- Adopt multi-factor authentication (MFA). MFA technology is not infallible as there are various ways to subvert it, but it improves your overall security posture.
- Every internet-facing technology your organization owns creates additional attack surface. Hiding assets behind a secure cloud provider removes them from the view of external adversaries. This gives IT teams more time to prioritize the order of system and software upgrades.
- Eliminate VPN access to systems. VPNs are a primary attack vector for adversaries because they are exposed to the internet and often laden with vulnerabilities. They provide bad actors a way to login with phished credentials and move laterally across your network.
- Do not grant network access to third-parties. Use more secure methods such as web portals that offer browser-only access to needed applications.
- Grant users access to the applications they need on a case-by-case basis rather than granting users access to the network. Do not put applications and users on the same network.
These relatively easy steps will make your organization harder to breach and therefore less appealing to threat actors. Cybercriminals, like their non-cyber counterparts, often choose the path of least resistance. You can also take bigger steps toward implementing a strong and holistic security posture by adopting a zero trust framework. Whatever you decide, taking proactive security steps now is much better than scrambling to remediate a breach later.
The ransomware hit on Change Healthcare, one of the most devastating cyberattacks in the medical sector’s history, is already fading from memory. We’re becoming so accustomed to large-scale cyber attacks that it becomes easy to write them off and move on. They become an expected travesty, like an earthquake or hurricane, and seem to foster a grudging acceptance that discourages further examination and eradication of root cause.
Yet, analyzing these large-scale attacks is how we’ll precisely learn to fight them. Change Healthcare processes billions of healthcare payment transactions annually, affecting up to 33% of patient records in a given year. Given the enormity of their position in the healthcare field, it is essential to consider the details of their breach, design an effective playbook against ransomware attacks, and learn from this experience.
Related Articles:
The Evolution of DevSecOps with AI
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024