Last Week in Ransomware: 11.11.2024

Last week in ransomware news we saw TSA propose security standards for critical infrastructure, a ransomware attack exposes the PHI of 1.8 million patients, and Black Basta leveraging Microsoft Teams for initial access...

TSA Security Standards for Critical Infrastructure

The TSA has proposed cybersecurity regulations to strengthen emergency directives established after the 2021 Colonial Pipeline ransomware attack. This initiative, part of the Biden administration's cybersecurity efforts, aims to create standardized requirements for critical infrastructure.  

TSA Administrator David Pekoske emphasized collaboration with industry partners to improve the cybersecurity of transportation networks. Nearly 300 operators in freight rail, passenger rail, rail transit, and pipeline sectors will be affected.  

Requirements include risk management programs, cybersecurity plans, audits, and incident reporting to the Cybersecurity and Infrastructure Security Agency (CISA), along with secure-by-design principles.

The rules impact various transportation sectors, including 73 freight railroads, 34 public transit agencies, and 115 pipeline systems, with a public comment deadline of February 5, 2025.  

Experts note that the regulations consolidate previous directives while introducing essential updates to combat the escalating ransomware threat. Ransomware has evolved into a sophisticated, multi-billion-dollar industry employing techniques akin to state-sponsored cyber espionage.  

Attacks increasingly target Linux systems, which are crucial to sectors like energy and telecommunications but often lack robust security. In cloud environments, ransomware can disrupt virtualized infrastructure, posing significant risks to essential services and economic stability.

READ MORE HERE

Ransomware Attack Exposes PHI of 1.8 Million

Summit Pathology Laboratories, a Colorado-based healthcare provider, recently reported a major data breach that exposed sensitive information of 1,813,538 patients, including personal, financial, and medical details.  

This breach, attributed to a phishing attack by the Medusa ransomware group, underscores the vulnerabilities healthcare institutions face in protecting patient data. While it’s unclear if a ransom was paid, Summit Pathology has since strengthened its security policies and offered affected patients credit monitoring and identity theft protection.

The incident reflects an ongoing trend where ransomware groups target healthcare providers, recognizing the high stakes involved. Patients are left vulnerable to identity theft and financial fraud, and the emotional toll is profound, as sensitive health data—such as diagnoses and mental health histories—can be weaponized for extortion.  

This growing ransomware threat, which now poses a national security risk, has been linked to detrimental effects on patient care and outcomes, sometimes even leading to fatalities.

The Summit Pathology breach highlights the need for bold, coordinated cybersecurity strategies. The healthcare sector is a critical target in this “digital battlefield,” and without decisive intervention, cybercriminals will continue exploiting it, threatening both public health and the integrity of patient-care relationships.

READ MORE HERE

Black Basta Using Microsoft Teams to Infiltrate

The Black Basta ransomware group has advanced its social engineering techniques by using Microsoft Teams to impersonate IT support, targeting employees under the pretext of resolving a spam attack.  

In a recent campaign reported by Bleeping Computer, attackers first overwhelmed employees’ inboxes with non-malicious emails like newsletters to create a sense of urgency. They then posed as the company’s IT help desk, contacting employees through Teams and offering assistance with the spam problem.  

During these interactions, attackers convinced employees to install remote-access software such as AnyDesk or use Windows Quick Assist, providing them with network access. This access allowed Black Basta affiliates to move laterally, elevate privileges, exfiltrate data, and ultimately deploy ransomware.

According to the Ransomware Malicious Quartile report, Black Basta is a RaaS (Ransomware-as-a-Service) group active since 2022, is known for its aggressive tactics, using stolen credentials and exploiting vulnerabilities like ConnectWise (CVE-2024-1709) and PrintNightmare.  

Operating under a double extortion model, they exfiltrate sensitive data from victims and threaten to publish or sell it if ransoms aren’t paid. Their sophisticated ransomware, written in C++, targets both Windows and Linux systems, exploiting VMware ESXi vulnerabilities and using robust encryption methods like ChaCha20 and RSA-4096.

The group has a meticulous approach, disabling defenses like Windows Defender to avoid detection. Black Basta recruits trusted affiliates, prioritizing operational security and precision.  

Their active leak site publishes data from non-compliant victims, with average ransom demands reaching up to $9 million. Approximately 35% of targets reportedly pay the ransom, allowing Black Basta to amass over $107 million from more than 500 victims within two years.

Targeting high-stakes sectors such as finance, healthcare, and manufacturing, Black Basta has attacked notable organizations including Kansas Medical Center, Danbury Public Schools, and Advanced Fiberglass Industries.  

Their operations continue to pose severe financial, operational, and reputational risks to victims, solidifying their reputation as one of the most prolific ransomware threats in the cybersecurity landscape.

READ MORE HERE

HHS Office for Civil Rights Fines Ortho Group

An HHS investigation led to a $240,000 penalty for Providence Medical Institute after three ransomware attacks on the Center for Orthopaedic Specialists, affecting 85,000 patients' electronic protected health information (ePHI).  

The incidents exposed sensitive data like Social Security numbers, financial information, and medical records. HHS’s Office for Civil Rights (OCR) determined that Providence Medical Institute lacked essential HIPAA Security Rule measures, including a business associate agreement and adequate ePHI protection policies.

OCR Director Melanie Fontes Rainer stressed the need for cybersecurity vigilance in healthcare, warning that lapses in HIPAA compliance leave entities vulnerable to cyberattacks. A recent HHS press release highlighted a 264% rise in healthcare ransomware breaches since 2018. This escalation signals the sector’s urgent need for improved cybersecurity practices.

Ransomware tactics now often include data theft and extortion rather than encryption alone, as attackers threaten to release stolen data if ransoms aren’t paid. Such tactics heighten risks for healthcare organizations, leading to potential fines, legal action, and reputational damage.  

The regulatory landscape increasingly holds executives and board members accountable for cybersecurity breaches, as seen in high-profile cases involving CISOs at companies like Uber and SolarWinds.

With evolving threats and regulatory pressures, healthcare organizations must enhance cybersecurity and navigate complex compliance requirements to minimize legal and operational fallout.

READ MORE HERE

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.