HHS Warns Healthcare Sector About LockBit 2.0 ThreatsRansomware Variant Updated; Group Claimed Credit for Accenture Attack
Federal regulators are warning healthcare and public health sector organizations of potential attacks by the ransomware group LockBit 2.0 and its affiliates.
In a recent threat advisory, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center notes that the LockBit 2.0 group claimed credit for an attack in August on Dublin, Ireland-based consultancy Accenture (see: Accenture Hit By Apparent Ransomware Attack).
The HC3 advisory also notes that some LockBit 2.0 affiliates appear to be operating with "a contradictory code of ethics." For instance, a LockBit 2.0 actor in an recent interview "portray[ed] a strong disdain for those who attack healthcare entities, while displaying conflicting evidence about whether he targets them himself," HC3 says.
HHS last month issued a similar threat advisory about the BlackMatter ransomware group, noting that that gang also says it does not target the healthcare sector (see: HHS Warns Health Sector of BlackMatter Attacks).
"Multiple gangs claim to avoid attacks on the healthcare sector, but these claims should be taken with a pinch of salt as, unsurprisingly, criminals do not necessarily keep to their word," says threat analyst Brett Callow of the security firm Emsisoft.
"In fact, even if they wanted to keep to their word, it may not be possible as gangs do not have complete control over their affiliates, and it’s the affiliates who carry out attacks."
Why do the gangs even bother making empty claims?
"It’s most likely an attempt to put a veneer of respectability on their operations. If they appear not to be hospital-attacking, conscienceless criminal scumbags, companies may be more inclined to transact with them," Callow says.
LockBit 2.0's Evolution
HC3 in its advisory notes that LockBit:
- Was first launched in September 2019;
- Started a ransomware-as-a-service program in January 2020;
- Began working with the Maze ransomware group in May 2020;
- Created its own LockBit data leak site in September 2020;
- Released its latest variant, LockBit 2.0, in June 2021;
- Attacked Accenture in August 2021.
Security vendor Emsisoft in a recent report notes that earlier LockBit attacks also include an October 2020 incident involving the Press Trust of India, which is the largest news agency in India, and an April 2021 attack on U.K. rail network Merseyrail.
LockBit 2.0 Traits
HC3 says characteristics of attacks involving the latest LockBit 2.0 ransomware variant include double extortion via StealBit malware, using group policy update to encrypt networks, faster encryption than earlier versions, print bombing, a Wake-on-LAN feature, new desktop wallpaper, and user account control bypass.
Security researchers also have recently noted that LockBit 2.0 borrows some characterizes from rival ransomware groups, including Ryuk and Egregor.
For instance, like Ryuk, LockBit 2.0 can send a "magic packet" that executes a Wake-on-LAN command, which wakes offline devices so they can be encrypted as well as enumerate printers and do a print-bombing run via the WritePrinter API, as Egregor has done, according to security firm Trend Micro.
This allows the ransomware to print ransom notes on printers across a victim's organization (see: Ransomware LockBit 2.0 Borrows Ryuk, Egregor Tricks).
Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center, tells Information Security Media Group that so far, she has "not heard much chatter" about the LockBit 2.0 or BlackMatter ransomware gangs targeting H-ISAC's healthcare sector member organizations.
"What's interesting is that many of these ransomware families are just reiterations of something that has happened in the past," she notes.
"But many of these ransomware families, to some extent, are opportunist and are going after low-hanging fruit, and I certainly see reports of organizations that have encountered the ransomware and have been attacked. But I haven't seen much of healthcare in the mix."
HC3's advises healthcare sector entities can take several actions to specifically help prevent LockBit ransomware attacks.
Those actions include:
- Monitoring for, and alerting on, the anomalous execution of legitimate Windows command line tools, such as the use of net.exe, taskkill.exe, vssadmin.exe and wmic.exe.;
- Making use of network segregation to limit communications between nodes, especially endpoints, to provide damage limitation and limit the propagation of threats.
HC3 notes that more general efforts that healthcare sector entities can make to help prevent ransomware attacks overall include:
- Maintaining offline, encrypted backups of data and regularly testing backups;
- Creating, maintaining and exercising a cyber incident response plan, resiliency plan and associated communications plan;
- Mitigating internet-facing vulnerabilities and misconfigurations;
- Reducing the risk of phishing emails reaching end users.