Getty Images

HC3 Warns Health Sector Against LockBit Ransomware Variant

LockBit Ransomware launched in September 2019 and claimed responsibility for an August 2021 attack on Accenture.

HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a threat brief warning the heath sector of LockBit Ransomware, a hacking group that orchestrated an attack on Ireland-based Accenture in August 2021.

The cybercriminal organization’s latest variant, LockBit 2.0, was released in June 2021. LockBit 2.0 uses double extortion via StealBit malware and leverages group policy updates to encrypt networks.

“The actor appears to have a contradictory code of ethics, portraying a strong disdain for those who attack healthcare entities, while displaying conflicting evidence about whether he targets them himself,” HC3 found.

The organization claims to be against attacking the healthcare, education, and social services sectors. But because hospitals are considered easy targets, it is likely that the threat actors would target any unpatched system regardless of ethics.

The US and the EU are top targets for the ransomware gang. However, the US’ data privacy laws are a deterrent to paying a ransom to attackers, so attacking US entities may be less lucrative to the group.

The gang also launched an affiliate program using the ransomware-as-a-service model (RaaS) to carry out ransomware attacks on behalf of other bad actors.

“Unparalleled benefits are encryption speed and self-spread function,” the ransomware group claimed on its website, according to HC3.

“The only thing you have to do is get access to the core server, while LockBit 2.0 will do all the rest.”

LockBit’s affiliate program allows affiliates to set their own ransom amount and choose the payment method. The affiliate receives the payment from the victim and then pays the LockBit group.

LockBit 1.1 leveraged IP-based geolocation, had high CPU usage during encryption, and appended its encrypted files with .abcd. Later, LockBit 1.2 changed its extension to .lockbit, removed its debug function, and updated its ransom note. When LockBit 2.0 arrived in June, it was identified as a highly sophisticated variant.

Cisco Talos Intelligence Group warned HC3 that, “Cybercriminals are avid consumers of security news and remain up to date on the latest research and vulnerabilities, weaponizing that information to use in future attacks.”

HC3 recommended that organizations maintain offline, encrypted data backups. It also suggested creating, maintaining, and exercising a cyber incident response plan, communications plan, and resiliency plan in the event of a cyberattack.

Organizations should also practice enterprise-wide cyber hygiene, mitigate internet-facing vulnerabilities, and set up web filters to reduce the chances of a phishing email ever reaching an end user.

Specifically for LockBit, HC3 recommended “monitoring for, and alerting on, the anomalous execution of legitimate Windows command line tools such as the use of net.exe, taskkill.exe, vssadmin.exe, and wmic.exe.”

Healthcare organizations should also take advantage of network segmentation to limit endpoint communications and reduce risk.

HC3 also recently issued a threat brief warning the healthcare sector of BlackMatter ransomware, another notorious hacking group that has been wreaking havoc on a variety of industries. BlackMatter claimed to incorporate the “best” features of LockBit 2.0, REvil/Sodinokibi, and DarkSide in its operations.

Meanwhile, Hive ransomware continues to direct attention to the healthcare sector. Missouri Delta Medical Center recently fell victim to a Hive ransomware attack, and the group previously targeted Memorial Health System and caused EHR downtime and emergency room diversions.

Next Steps

Dig Deeper on Cybersecurity strategies