News & Insights

As I am sure you are all aware from the frequency of government alerts and media attention, ransomware incidents are continuing to increase and, just like COVID, have developed new "variants."

Criminal organizations backing these attacks have gone through mergers, restructuring and consolidation - just like any other growing industry. Ransomware is big business complete with business development, customer support, sales department, and, more concerning, talented development teams. Advance preparation and defense are imperative.

The Department of Health and Human Services, as part of its education initiative, offers frequent free webinars specifically focused on cybersecurity. One such webinar is offered on a bi-monthly basis through the Health Sector Cybersecurity Coordination Center (“HC3”) of HHS.

Today’s HHS/HC3 webinar drills down on Hive Ransomware.

The HIVE group is just one of those organizations which has emerged through apparent merger with other criminal organizations. According to the FBI alert, HIVE attackers not only take the information and threaten to "leak" it absent payment, but notify victims of the presence of their information taken from the victim company and the potential for public disclosure. This Ransomware variant has been associated with several healthcare attacks since June 2021. HC3’s site has more information regarding its prior briefings and educational information

The Cybersecurity & Infrastructure Security Agency (“CISA”) recently issued an alert related to the BlackWater ransomware group and included specific mitigation steps that are recommended. These include standard safeguards such as strong passwords, multi-factor authentication, network segmentation, patching/updating of systems, limiting access, strong backup and restoration processes, but also recommend: implementing detection signatures to identify and block the ransom note on the first encrypted location, use of admin disabling tools to protect systems after-hours as most attacks occur during non-business hours, and

• Disable the storage of clear text passwords in LSASS memory.
• Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
• Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For WindowsServer 2012R2, enable Protected Process Light for Local Security Authority (LSA).
• Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
• Set a strong password policy for service accounts.
• Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.

Ongoing assessment of security safeguards and implementation of those needed to provide reasonable protection is a recommended part of a healthcare security risk management plan. If you have additional questions or would like to discuss how Waller can assist you with HIPAA and data privacy and security compliance, please contact Beth.Pitman@Wallerlaw.com.