Ransomware group BlackCat has been targeting healthcare organizations in recent months and last week cybercriminals associated with the group added NextGen Healthcare, an Atlanta-based electronic health record vendor with more than 2,500 healthcare organizations as customers, to its list of victims.
Healthcare organizations have been advised to beef up their cybersecurity strategy to account for the threat posed by BlackCat, and the Department of Health and Human Services has issued various warnings about the group’s advanced capabilities and propensity to target the healthcare sector.
NextGen acknowledged the attack and said that the threat was immediately contained. The company assured its customers that NextGen’s network is secure and all operations are running as usual.
NextGen’s forensic review has not yet revealed any evidence that patient data has been accessed or exfiltrated, the company told The Washington Post. And a representative purporting to be a part of BlackCat refused to provide proof that the group has obtained data from NextGen’s clients.
Regardless of whether BlackCat ends up using NextGen data for nefarious purposes, the attack shows the ransomware group has its sights set on major healthcare companies.
The Department of Health and Human Services has tried to make the healthcare industry aware of this fact. Less than two weeks ago, the department issued its latest threat brief warning healthcare organizations about BlackCat, calling the group “a relatively new but highly-capable ransomware threat to the health sector.”
BlackCat initially got on the federal government’s radar in late 2021, when the Federal Bureau of Investigation discovered that the ransomware gang had compromised at least 60 victims in four months. HHS suspects BlackCat to be a successor of a ransomware group known as Darkside or BlackMatter; which said it was shutting down in late 2021 due to pressure from the federal government.
HHS has also reported that one of BlackCat’s administrators is a former REvil member. REvil was one of the top ransomware gangs worldwide until it was shut down by Russian authorities a year ago.
BlackCat is characterized by its “triple extortion” approach, which means it combines ransomware attacks with threats to leak stolen data and disable websites. To increase pressure on its victims to pay the ransom, BlackCat has begun posting searchable data from its hacks onto the open web, as opposed to the dark web.
Targeting the healthcare sector along with other industries, the group is focused on attacking companies in the U.S., HHS warned. BlackCat has said that it does not attack hospitals, ambulances or state medical institutions, but it will go after pharmaceutical companies and private clinics. However, many ransomware gangs have failed to honor their word about which companies they attack, HHS pointed out.
Healthcare organizations would be wise to enhance their cybersecurity strategy in defense against BlackCat, as it is “one of the more adaptable ransomware operations in the world,” according to an analyst note that HHS released in December.
“BlackCat was one of the first major ransomware variants to be developed in the Rust programming language, has a highly customizable feature set, and relies heavily on internally-developed capabilities, which are constantly developed and have upgrades,” the note said.