Blackcat Ransomware Linked With ScreenConnect, Recent Health Care Attacks: US

The FBI, CISA and HHS said that a ScreenConnect remote access domain has commonly been utilized during a spate of recent Blackcat attacks against health care providers.

A ScreenConnect remote access domain has commonly been utilized during a spate of recent Blackcat ransomware attacks against health care providers, U.S. agencies said Tuesday.

The disclosure indicates that the Blackcat ransomware strain is increasingly being used to target health care organizations including hospitals in the U.S.

[Related: ConnectWise ScreenConnect Vulnerabilities: 5 Things To Know]

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) said in an advisory update Tuesday.

It was unclear whether the disclosure is directly related to the recent cyberattack against a unit of UnitedHealth Group’s Optum subsidiary, Change Healthcare, which has disrupted U.S. pharmacies. The attack involved the Blackcat ransomware strain, Reuters reported Monday.

Security researchers have previously associated the Blackcat ransomware strain with Alphv, a Russian-speaking cybercriminal gang.

The disclosure also follows last week’s warning by CISA that a critical-severity authentication bypass vulnerability in ConnectWise ScreenConnect (tracked as CVE-2024-1709) has seen active exploitation in the wild. Yelisey Bohuslavskiy, co-founder of cyber threat intelligence firm RedSense, has tied the ScreenConnect vulnerability to the compromise of Change Healthcare.

ConnectWise, the parent company of ScreenConnect, said in a statement Tuesday that it remains “unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare.”

“Our internal reviews have yet to identify Change Healthcare as a ScreenConnect customer, and none of our extensive network of managed service providers have come forward with any information regarding their association with Change Healthcare,” the company said.

On Tuesday, CISA, the FBI and HHS issued an update to a previously released advisory on the Alphv Blackcat ransomware as a service. The updated advisory contains additional indicators of compromise including a ScreenConnect remote access domain, “Fisa99.screenconnect[.]com.”

The additional indicators of compromise have been “identified through FBI investigations as recently as February 2024,” the agencies said.

The increased attacks against health care providers are “likely” a response to a post by an administrator with Alphv Blackcat “encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” according to the updated advisory.

Meanwhile, the Reuters report linking Blackcat with the Change Healthcare attack has also raised questions about UnitedHealth’s initial attribution of the attack to a nation-state threat actor. The attribution was part of UnitedHealth’s disclosure of the incident to the U.S. Securities and Exchange Commission on Feb. 21.

The latest statement posted by Change Healthcare Tuesday does not contain any new information from its prior disclosures. “The disruption is expected to last at least through the day,” the statement reads, repeating a line that was included in the statements of prior days.

The latest post also reiterated that Change Healthcare is taking “multiple approaches to restore the impacted environment.”

In a statement provided to media outlets including CRN, UnitedHealth said it has seen “minimal reports” of patients being unable to access prescriptions.

In part, this is because more than 90 percent of pharmacies in the U.S. are believed to use “modified electronic claim processing to mitigate impacts from the Change Healthcare cyber security issue,” the company said in the statement.

“As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds,” UnitedHealth said.