The group, also known as ALPHV and suspected to be a successor to BlackMatter, has demanded ransoms as high as $1.5M with affiliates keeping 80-90%, according to the Office of Information Security at U.S. Health and Human Services and the Health Sector Cybersecurity Coordination Center.

WHY IT MATTERS

The Russian ransomware group allegedly attacked the EHR vendor NextGen on January 17, The Washington Post reported on Monday. 

"The company says it doesn't look like the hackers obtained any client data or patient data," according to the Post.

Healthcare IT News reached out to NextGen for comment and will update this story if it responds.

Claiming responsibility, BlackCat "put an alleged sample of NextGen information on its extortion site — typically used to compel victims to pay or risk further exposure — but later took down the NextGen listing," Databreaches.net first reported on January 21.

According to a joint briefing by OIS and HC3 earlier this month, those behind BlackCat ransomware are exceptionally capable and believed to be operated by experienced cybercriminals.

While they attack critical infrastructure worldwide and disrupt operations, like the attack on a major Columbian energy supplier last month, the majority of targets are U.S.-based. 

In December, an HC3 analysis said "BlackCat was one of the first major ransomware variants to be developed in the rust programming language, has a highly customizable feature set and relies heavily on internally-developed capabilities, which are constantly developed and have upgrades."

Bad actors use BlackCat for triple extortion – gaining unauthorized access, stealing data, locking it up and then threatening to leak data as well as distributed denial of service attacks.

In July, Sophos reported that Blackcat ransomware attacks follow a consistent pattern, exploiting known access vulnerabilities, deploying access tools and uploading data from servers to cloud storage.

THE LARGER TREND

As we previously reported, BlackMatter ransomware-as-a-service went silent in October 2021, and early the next year BlackCat emerged as another rebrand with two attacks on German oil companies.

"While the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void," HC3 confirmed in February 2022.

With ransomware attacks doubling in recent years, the impacts on care cannot be understated. In a recent report from Ponemon Institute, the most prevalent impact providers identified was an increase in patients transferred or diverted to other facilities, reported by 70% of those surveyed.

ON THE RECORD

“NextGen Healthcare is aware of this claim and we have been working with leading cybersecurity experts to investigate and remediate. We immediately contained the threat, secured our network and have returned to normal operations," according to a statement sent to the Washington Post.

"Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client or patient data. The privacy and security of our client information is of the utmost importance to us."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.