Last Week in Ransomware: 10.21.2024

Last week in ransomware news we saw Change Healthcare ransomware attack losses approach $3B, attack on Casio exposes data, UMC struggling to recover from attack...

Change Healthcare Ransomware Losses at $3B

UnitedHealth Group (UHG) has revised its cost estimate for the February cyberattack on its Change Healthcare IT services, raising the projected financial impact to nearly $2.9 billion for fiscal year 2024.  

Initially, UHG estimated $2.5 billion in damages by July, but additional recovery and operational expenses have increased the figure. By the third quarter of 2024, UHG had already incurred $2.5 billion in costs related to the attack.

Despite the financial challenges, UHG reported significant progress in restoring Change Healthcare’s systems and is working to regain lost business.  

Roger Connor, CEO of UHG's Optum Insight division, emphasized that clients are responding positively to the improved security measures. However, he noted that returning to pre-attack transaction volumes is still ongoing, with customers increasingly seeking vendor redundancy to reduce future risks.

The cyberattack, linked to the BlackCat ransomware group, exploited a vulnerability in Citrix remote access services, which lacked multifactor authentication. UHG paid a $22 million ransom, but complications arose when BlackCat disbanded, leading to a second ransom demand from another group.  

The attack affected thousands of healthcare entities across the U.S., disrupting clinical and business operations.

UHG continues to investigate the extent of the data breach. Although an initial report indicated 500 individuals were affected, UHG CEO Andrew Witty later testified that up to 100 million people could have been impacted.

This incident highlights the staggering financial toll of ransomware recovery, with costs extending beyond immediate remediation to include long-term damage to brand reputation, legal liabilities, and lost revenue.  

Ransomware attacks not only lock systems but also steals sensitive data, leading to further regulatory and legal consequences. For large corporations, these costs are substantial but manageable; for smaller organizations, they can be existential.

The attack underscores the critical importance of proactive cybersecurity measures. As ransomware tactics evolve, organizations must focus on prevention and resilience to minimize the impact of future attacks.

READ MORE HERE

Ransomware Attack on Casio Exposes Data

In early October, Japanese electronics giant Casio confirmed it had suffered a ransomware attack, leading to the theft of sensitive company and customer data. Initially reporting a "system disruption" on October 7, Casio later revealed the issue stemmed from a ransomware incident.  

The breach impacted personal information of employees, contractors, business partners, and job applicants, and compromised internal documents, including invoices and HR files. However, Casio clarified that its Casio ID and ClassPad services, which handle customer credit card information, were unaffected.

A ransomware group called Underground, linked to the Russia-based Storm-0978 (RomCom), claimed responsibility for the attack, allegedly stealing over 200GB of data. Samples of the stolen data were posted online as leverage for a ransom demand.  

Casio has not confirmed if a ransom was requested or paid but continues to assess the damage, with some systems still offline.

This incident underscores the growing trend of ransomware groups using data exfiltration as a key tactic. The risk posed by the theft of sensitive data extends beyond immediate operational disruption, raising concerns about regulatory fines, legal liabilities, and brand damage.  

With the increase in class action lawsuits and regulatory penalties following data breaches, organizations must prioritize early detection and prevention, focusing on stopping attacks before ransomware payloads are deployed.  

A proactive defense strategy can mitigate both operational and data-related risks, helping organizations avoid long-term damage from ransomware attacks.

READ MORE HERE

UMC Struggles to Recover from Attack

As of October 11, UMC Health reported significant progress in restoring critical IT systems following a major outage caused by a ransomware attack.  

A key milestone in the recovery was the successful restoration of the Electronic Health Record (EHR) system across all UMC locations, essential for patient care and internal operations.  

UMC also reinstated its “Find-a-Physician” feature on its website, enabling patients to access physician information and schedule appointments. Additionally, communication with UMCP Clinics through the MyTeamCare patient portal has resumed.

Despite these improvements, UMC acknowledged that several patient-facing systems and internal care programs remain offline, impacting the efficiency of healthcare services.  

While emergency services continue to operate, including ambulance arrivals, some patients are still being diverted due to the remaining system issues.  

UMC emphasized its ongoing efforts to fully assess and mitigate the impact of the attack in collaboration with third-party cybersecurity firms.

At the same time, Texas Tech University Health Sciences Center (TTUHSC), which relies on UMC as its primary teaching hospital, is working to recover its own IT systems. TTUHSC advised faculty and students that deadlines might be adjusted based on the progress of the system restoration, and faculty are prioritizing urgent tasks as systems come back online.

The attack on UMC Health has raised broader concerns about healthcare cybersecurity, particularly the vulnerability of critical IT infrastructure in hospitals. While UMC has restored its EHR systems, many patient-facing services remain disrupted, suggesting the attack caused deeper network issues.  

A key question is whether UMC’s EHRs were compromised during the attack or deliberately taken offline as a preventative measure to contain the ransomware’s spread.

From a cybersecurity perspective, it’s plausible that UMC took its EHRs offline to prevent further damage, a proactive strategy often used to isolate critical systems. However, the fact that other essential systems remain inaccessible points to the possibility that workstations or devices, including those used to access the EHRs, may still be compromised.  

Without fully functioning workstations, healthcare providers face operational challenges despite the restoration of central servers.

Large-scale ransomware attacks typically target servers first, as they are the backbone of healthcare operations. Once servers are restored, however, the more labor-intensive process of reimaging or replacing affected devices must be completed to regain full functionality.  

This phased recovery approach helps restore patient data access quickly but delays full operational efficiency until all devices are addressed.

The attack also impacted TTUHSC, highlighting the interconnectedness of healthcare networks. Although UMC and TTUHSC are separate entities, they may share infrastructure or data systems, creating the potential for lateral movement of attackers between their networks.  

This incident underscores the importance of strong network segmentation and limiting user privileges to prevent the spread of ransomware.

Modern ransomware tactics have evolved beyond simple encryption, with attackers now engaging in data exfiltration and privilege escalation before deploying the ransomware payload.  

Early detection of these activities is critical to mitigating damage, as attackers often engage in detectable behaviors, such as data exfiltration and account compromise, long before encrypting systems.

While UMC and TTUHSC have not confirmed whether patient, student, or employee data was compromised, determining the full scope of a data breach can take weeks or months. In healthcare, where sensitive information is at stake, digital forensics investigations are complex and can trigger significant regulatory and legal scrutiny.

Ransomware attacks on healthcare organizations pose not only financial risks but also threats to national security. The increasing frequency of these attacks on critical infrastructure highlights the need for stronger legislative and regulatory responses to protect healthcare systems and ensure public safety.

READ MORE HERE

BianLian Attacks Boston Children's Health Physicians

The BianLian data extortion group has claimed responsibility for a cyberattack on Boston Children's Health Physicians (BCHP), a network of over 300 pediatric specialists operating in New York and Connecticut.  

The attack, detected in early September, targeted BCHP's IT vendor, allowing hackers to access and exfiltrate sensitive data, including patient, employee, and guarantor personal information.  

The stolen data includes names, Social Security numbers, addresses, and limited medical and billing details. Fortunately, BCHP's electronic medical record systems were unaffected, as they are hosted on a separate network.

BianLian has threatened to release sensitive information, such as financial and HR data, unless a ransom is paid. Although no deadline for negotiations has been set, BCHP has committed to notifying affected individuals by October 25 and offering credit monitoring services to those whose Social Security numbers or driver’s licenses were compromised.

This attack underscores the growing trend of cybercriminals targeting healthcare organizations, particularly those that treat children, for extortion. Healthcare entities are increasingly seen as easy targets due to their underfunded cybersecurity defenses and the critical nature of their operations.  

These attacks are not just about financial gain; they endanger lives by disrupting patient care, with delays potentially leading to worsened health outcomes or even death.

The exploitation of highly sensitive health data in ransomware attacks adds another layer of harm, as personal medical details are weaponized for extortion. This incident reflects the broader need for stronger cybersecurity measures in healthcare and highlights the urgency of coordinated responses to counter the escalating threat of cyberattacks in this vulnerable sector.

READ MORE HERE

‍

‍Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.