ClickCease Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack

Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack

Wajahat Raja

March 12, 2024 - TuxCare expert team

In recent months, a concerning trend has emerged within the healthcare sector: the resurgence of BlackCat ransomware attacks. The BlackCat ransomware healthcare attack has prompted a joint advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), warning healthcare organizations about the heightened risk they face from these malicious actors.


Government Alert  – BlackCat Ransomware Healthcare Attack

The U.S. government issues a stark warning concerning the resurgence of BlackCat ransomware attacks, particularly targeting the healthcare sector. Recent data reveals a concerning trend, with the healthcare industry being the primary focus of nearly 70 leaked victims since mid-December 2023.

FBI Warning BlackCat Ransomware

The FBI, working alongside CISA and HHS, has issued a warning about the
BlackCat ransomware healthcare attack, signaling a collaborative effort to address the threat. Notably, the healthcare sector appears to be in the crosshairs, prompting a response from the U.S. government.

Setback and Resurgence

Despite a significant blow to the BlackCat ransomware operation in late 2023, a coordinated law enforcement effort failed to fully dismantle the group. After regaining control of their dark leak sites, BlackCat has intensified attacks on critical infrastructure organizations, including notable entities like Prudential Financial, LoanDepot, Trans-Northern Pipelines, and Optum, a subsidiary of UnitedHealth Group.

Government Incentives

In response to the escalating threat, the U.S. government is offering financial rewards of up to $15 million for information leading to the identification of key members and affiliates of the BlackCat e-crime group. This move underscores the severity of the situation and the urgent need for collaboration in combating cyber threats.

ConnectWise Vulnerabilities Exploited

Recent breaches, such as the one targeting Optum, have raised concerns about the exploitation of critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software. BlackCat has been implicated in this
healthcare data breach, although the group vehemently denies using ConnectWise exploits for initial access.

Widespread Impact

The vulnerabilities in ConnectWise’s software have become a focal point for various ransomware groups, including Black Basta and Bl00dy, exploiting them to deliver malicious payloads like Cobalt Strike Beacons, XWorm, and remote management tools such as Atera and Syncro. 

Attack surface management firm Censys reports over 3,400 exposed potentially vulnerable ScreenConnect hosts as of February 27, 2024, primarily located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.


BlackCat Ransomware HealthCare Attack Tactics Evolution

The landscape of
BlackCat ransomware healthcare attack on hospitals is evolving, with groups like RansomHouse, Rhysida, and a Phobos variant named Backmydata employing more sophisticated tactics. RansomHouse, for instance, utilizes a custom tool called MrAgent, designed to automate and track the deployment of ransomware across large environments, particularly targeting VMware ESXi hypervisors.

New Monetization Methods

In a concerning shift, some
BlackCat ransomware healthcare attack affiliates are adopting new monetization methods, such as selling direct network access through blogs, Telegram channels, or data leak websites. This demonstrates a move towards more nuanced and sophisticated approaches by cybercriminals.

Emergence of Linux-Specific Threats

The release of a Linux-specific, C-based ransomware threat known as Kryptina poses a new challenge. First appearing in underground forums in December 2023 and subsequently available for free on BreachForums, Kryptina’s source code release could lead to a surge in
ransomware attacks against Linux systems, attracting low-skilled participants to the cybercrime ecosystem.

Mitigating Ransomware Risk In Healthcare

In light of these developments,
protecting healthcare data from ransomware has become imperative for healthcare organizations in order to fortify their defenses against BlackCat ransomware and its affiliates. The joint advisory issued by the FBI, CISA, and HHS outlines key measures to mitigate the risk of the BlackCat ransomware healthcare  attack:


  1. Secure Remote Access: Implement stringent controls for remote access tools, ensuring that only authorized software is executed.
  2. Phishing-Resistant MFA: Deploy multi-factor authentication (MFA) solutions that are resilient to phishing attempts, such as FIDO/WebAuthn authentication.
  3. Network Monitoring: Employ robust network monitoring tools to detect and investigate abnormal activity, thereby thwarting potential ransomware traversal.
  4. Mail and Messaging Monitoring: Enhance internal monitoring capabilities to identify suspicious activity within mail and messaging systems.
  5. User Awareness Training: Educate employees on recognizing and responding to social engineering and phishing attacks, empowering them to act as a frontline defense against cyber threats.


By adopting these proactive measures, healthcare organizations can enhance their resilience to BlackCat ransomware attacks and safeguard sensitive patient data.


BlackCat’s Alleged Involvement in Change Healthcare Incident

BlackCat has reportedly claimed responsibility for an ongoing cyber-attack against Change Healthcare, asserting the exfiltration of 6TB of data. Although the claim was removed without explanation, the incident has caused significant disruption to Change Healthcare, impacting healthcare services, including prescriptions, throughout the U.S.

Healthcare Data Recovery 

Change Healthcare, now merged with Optum, a subsidiary of UnitedHealth Group, is grappling with the aftermath of the attack. UnitedHealth, handling a substantial portion of U.S. patient data and processing 15 billion healthcare transactions annually, declared the attack as the work of a
“suspected nation-state associated cybersecurity threat actor.” 

The incident has disrupted healthcare services, affecting insurance claims transmission for many pharmacies across America. Cybersecurity for healthcare organizations is critical in safeguarding sensitive patient data and ensuring operational continuity.


The escalating threat landscape of ransomware, exemplified by the resurgence of BlackCat and similar groups, calls for heightened vigilance and proactive measures. HIPAA compliance and ransomware intersect in the healthcare sector, demanding robust security measures to protect patient privacy and data integrity. 

Organizations, especially in critical sectors like healthcare, must prioritize cybersecurity to safeguard sensitive data, maintain operational continuity, and protect against the evolving tactics of cyber adversaries. As we navigate these challenges, collaboration, awareness, and adherence to recommended security protocols remain paramount.

The sources for this piece include articles in The Hacker News and InfoSecurity.


Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack
Article Name
Alert: FBI Warns Of BlackCat Ransomware Healthcare Attack
Stay informed about the latest FBI warning regarding BlackCat ransomware healthcare attack. Protect your organization now.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter