Ransomware. One word that keeps many IT Administrators and SOC Analysts awake at night. And when it comes to the healthcare industry, the recent ransomware attacks of 2024 have led many IT security practitioners to burn the midnight oil late into the night.

Three Ransomware attacks and data breaches in the healthcare industry over the last few weeks are noteworthy. The first incident involves the BlackCat Ransomware as a Service (RaaS), the second see’s the return of LockBit 3.0, and finally Rhysida – three operations suspected of targeting many hospitals and other medical-related businesses.

BlackCat/AlphV

BlackCat, also known as ALPHV or Neberus, is a ransomware family and one of the few written in Rust that can infect both Windows and Linux. BlackCat operates a Ransomware as a Service (RaaS) and relies on stolen credentials obtained through initial access brokers, such as credential harvesting (phishing) campaigns.

The February 21st attack against UnitedHealth Group’s subsidiary Change Healthcare has had significant impact and consequences for some 68,000 pharmacies, hospitals, physician practices, and millions of patients are now forced to pay full price for their medications.

Optus, a payment processing platform that links thousands of providers was compromised and according to the BlackCat Ransomware Group, over 6TB of data was exfiltrated prior to endpoint encryption as part of a double extortion tactic. The double extortion plays commonly used in Ransomware attacks (encrypted endpoints and data exposure) could turn into a triple extortion play of DDoS attacks to the company’s IT Infrastructure if the Ransom fine goes unpaid.

No Honor Amongst Thieves

Now this is where it gets interesting. Apparently, the hackers (affiliates that use the platform and agree to share 10-20% of their ransom with the platform operator) were possibly duped by the operator, who claimed the site “had been taken down by the Fed’s”. After removing $22 Million in BitCoin from the hacker’s platform wallet, BlackCat’s servers were all shutdown, denying the hackers access to the wallet and the decryptors, which, if true, is very bad news for UnitedHeath.