Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

HHS Warns Healthcare Sector About LockBit 2.0 Threats

Ransomware Variant Updated; Group Claimed Credit for Accenture Attack
HHS Warns Healthcare Sector About LockBit 2.0 Threats

Federal regulators are warning healthcare and public health sector organizations of potential attacks by the ransomware group LockBit 2.0 and its affiliates.

See Also: Ransomware Costing Organizations Billions as CIO's and CISO's Lose Their Jobs

In a recent threat advisory, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center notes that the LockBit 2.0 group claimed credit for an attack in August on Dublin, Ireland-based consultancy Accenture (see: Accenture Hit By Apparent Ransomware Attack).

The HC3 advisory also notes that some LockBit 2.0 affiliates appear to be operating with "a contradictory code of ethics." For instance, a LockBit 2.0 actor in an recent interview "portray[ed] a strong disdain for those who attack healthcare entities, while displaying conflicting evidence about whether he targets them himself," HC3 says.

HHS last month issued a similar threat advisory about the BlackMatter ransomware group, noting that that gang also says it does not target the healthcare sector (see: HHS Warns Health Sector of BlackMatter Attacks).

"Multiple gangs claim to avoid attacks on the healthcare sector, but these claims should be taken with a pinch of salt as, unsurprisingly, criminals do not necessarily keep to their word," says threat analyst Brett Callow of the security firm Emsisoft.

"In fact, even if they wanted to keep to their word, it may not be possible as gangs do not have complete control over their affiliates, and it’s the affiliates who carry out attacks."

Why do the gangs even bother making empty claims?

"It’s most likely an attempt to put a veneer of respectability on their operations. If they appear not to be hospital-attacking, conscienceless criminal scumbags, companies may be more inclined to transact with them," Callow says.

LockBit 2.0's Evolution

HC3 in its advisory notes that LockBit:

  • Was first launched in September 2019;
  • Started a ransomware-as-a-service program in January 2020;
  • Began working with the Maze ransomware group in May 2020;
  • Created its own LockBit data leak site in September 2020;
  • Released its latest variant, LockBit 2.0, in June 2021;
  • Attacked Accenture in August 2021.

Security vendor Emsisoft in a recent report notes that earlier LockBit attacks also include an October 2020 incident involving the Press Trust of India, which is the largest news agency in India, and an April 2021 attack on U.K. rail network Merseyrail.

LockBit 2.0 Traits

HC3 says characteristics of attacks involving the latest LockBit 2.0 ransomware variant include double extortion via StealBit malware, using group policy update to encrypt networks, faster encryption than earlier versions, print bombing, a Wake-on-LAN feature, new desktop wallpaper, and user account control bypass.

Desktop wallpaper deployed by LockBit 2.0 on a system it's infected. (Source: HHS HC3)

Security researchers also have recently noted that LockBit 2.0 borrows some characterizes from rival ransomware groups, including Ryuk and Egregor.

For instance, like Ryuk, LockBit 2.0 can send a "magic packet" that executes a Wake-on-LAN command, which wakes offline devices so they can be encrypted as well as enumerate printers and do a print-bombing run via the WritePrinter API, as Egregor has done, according to security firm Trend Micro.

This allows the ransomware to print ransom notes on printers across a victim's organization (see: Ransomware LockBit 2.0 Borrows Ryuk, Egregor Tricks).

Opportunist Attackers

Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center, tells Information Security Media Group that so far, she has "not heard much chatter" about the LockBit 2.0 or BlackMatter ransomware gangs targeting H-ISAC's healthcare sector member organizations.

"What's interesting is that many of these ransomware families are just reiterations of something that has happened in the past," she notes.

"But many of these ransomware families, to some extent, are opportunist and are going after low-hanging fruit, and I certainly see reports of organizations that have encountered the ransomware and have been attacked. But I haven't seen much of healthcare in the mix."

Preventative Steps

HC3's advises healthcare sector entities can take several actions to specifically help prevent LockBit ransomware attacks.

Those actions include:

  • Monitoring for, and alerting on, the anomalous execution of legitimate Windows command line tools, such as the use of net.exe, taskkill.exe, vssadmin.exe and wmic.exe.;
  • Making use of network segregation to limit communications between nodes, especially endpoints, to provide damage limitation and limit the propagation of threats.

HC3 notes that more general efforts that healthcare sector entities can make to help prevent ransomware attacks overall include:

  • Maintaining offline, encrypted backups of data and regularly testing backups;
  • Creating, maintaining and exercising a cyber incident response plan, resiliency plan and associated communications plan;
  • Mitigating internet-facing vulnerabilities and misconfigurations;
  • Reducing the risk of phishing emails reaching end users.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.