BlackSuit Ransomware Threatens HPH Sector and Using Encryption Successfully in 75% of Ransomware Attacks

The Health Sector Cybersecurity Coordination Center (HC3) has released an analyst note regarding BlackSuit ransomware, which is a new ransomware group thought to present a valid threat to the healthcare and public health (HPH) sector.

Security researchers have seen some commonalities between Royal ransomware and BlackSuit ransomware. Royal ransomeware has been active in targeting the HPH industry just like the Conti ransomware group. BlackSuit has previously been employed in an attack on the HPH sector this October 2023, thus it is fair to believe that BlackSuit is going to be employed in more attacks. A medical scans and radiology services provider to over 1,000 hospitals located in 48 states was attacked.

Similar to a lot of other ransomware attacks, BlackSuit ransomware is employed in double extortion attacks, exfiltrating sensitive information before encrypting files. Ransoms should be paid to stop the exposure of the stolen information and to decrypt the coded files. To date, BlackSuit ransomware has just been employed in a few attacks; nonetheless, activity may be increased at any time.

BlackSuit ransomware is thought to be a private group instead of a ransomware-as-a-service operation. Its operation is believed to be managed by people with expertise in carrying out ransomware attacks because of relations with Royal and Conti. A number of cybersecurity researchers have thought that BlackSuit could be a rebrand of Royal ransomware, which carried out a big attack on a Texas city last May 2023 which drew the attention of media and police authorities. BlackSuit first showed up soon after that attack however Royal is still in operation, though BlackSuit was not broadly used thus far, that conclusion is not discounted.

There were Windows and Linux variants of BlackSuit discovered, and just like Royal ransomware, utilize OpenSSL’s AES for encryption. The ransomware utilizes intermittent encryption methods, which are more effective and encrypt files faster. Considering the low number of recognized attacks, it is hard to say which attack strategies are liked by the group. The distribution techniques that are probably utilized are email attachments that contain macros, downloading the ransomware in torrent files, malicious advertisements (malvertising), and distribution through other malware types like droppers, Trojans, and downloaders, which are frequently spread through compromised sites, phishing emails, and phony software updates.

The HC3 Analyst Note  explains the MITRE ATT&CK strategies employed by the Blacksuit group, Indicators of Compromise (IoCs), and suggested mitigations for strengthening defenses. HC3 has additionally suggested reporting any supposed ransomware attacks to the FBI Internet Crime Compliant Center (IC3)and area Federal Bureau of Investigation (FBI) field office.

Data Effectively Encrypted in 75% of Healthcare Ransomware Attacks

Sophos’ new report about healthcare cybersecurity shows that 75% of ransomware attacks on healthcare companies had implemented successful data encryption. Just 24% of surveyed healthcare companies had identified an ongoing attack and stopped it prior to encrypting files. Sophos states this is the best encryption rate and the cheapest rate of disruption observed by the company in the last 3 years. In 2022, healthcare companies stopped 34% of attacks prior to encrypting files.

The percentage of companies that were able to stop an attack prior to encryption is a good indication of security maturity. The healthcare industry only had a low disruption rate of 24%. In addition, this number is decreasing, which implies the industry is losing to cyber attackers and is progressively unable to discover and prevent an ongoing attack.

A lot of ransomware groups make use of double-extortion strategies, encrypting files after data extraction and demanding a ransom payment to decrypt files and stop the exposure of the stolen information. Healthcare ransomware attacks engaged in double extortion tactics increased to 37% compared to previous years. Ransomware attacks are still growing in complexity, threat actors are continually changing and enhancing their strategies, and attack time tables are accelerating, allowing system defenders less time to identify and stop cyberattacks. Sophos states the median time from the beginning of an attack to discovery has already dropped to merely 5 days. Most attacks are likewise planned to take place beyond office hours when workforce levels are smaller. Just 10% of attacks were carried out during normal work hours.

The complex nature of cyberattacks has taken longer recovery time. Just 47% of healthcare companies could recover from a ransomware attack in one week, in comparison to 54% in 2022. According to the Department of Health and Human Services’ Office for Civil Rights, there has been a 278% rise in ransomware attacks on healthcare companies in the last four years; nevertheless, Sophos’s information shows a small decrease in attacks, from 66% (2022) to 60% (2023). There’s likewise a big decrease in the number of healthcare companies giving ransom payments. In 2022, 61% of healthcare companies gave a ransom payment. In 2023, only 42% decided to pay the ransom.

The ransomware threat has become too complicated for many companies to handle on their own. All companies, particularly those in healthcare, must modernize their defensive method of cybercrime, going from being exclusively precautionary to actively tracking and examining warnings 24/7 and getting outside assistance such as managed detection and response (MDR.

Sophos advises building up defenses by utilizing security tools like end-point protection options with powerful anti-ransomware and anti-exploit capabilities, applying zero trust network access to avoid the misuse of breached credentials, utilizing adaptive systems that could respond immediately to attacks in progress to give system defenders additional time and to apply 24/7 threat discovery, investigation, and reaction, whether that is done in-house or through a specific MDR company.

It is additionally necessary to adopt good security practices, like updating software programs and patching immediately, routinely checking security tool settings, routinely backing up, restoring data using backups, and keeping an updated incident response plan.