#BHUSA: Ransomware Drill Targets Healthcare in Operation 911

Summary: A ransomware tabletop exercise conducted at Black Hat USA 2024 focused on the healthcare sector, simulating a high-stakes attack against a fictitious hospital to highlight vulnerabilities and response challenges. The exercise involved key stakeholders and aimed to address the increasing threat of ransomware incidents, particularly following the attack on Change Healthcare.

Threat Actor: BlackCat/APLPHV gang | BlackCat/APLPHV gang
Victim: Change Healthcare | Change Healthcare

Key Point :

  • The tabletop exercise simulated a ransomware attack on Sunshine Healthcare, emphasizing the critical decisions healthcare providers must make under pressure.
  • Participants included healthcare representatives who experienced real cyber incidents, highlighting the importance of learning from past attacks.
  • Negotiations with ransomware gangs are complex, as organizations must balance urgency with the need for thorough investigation to prevent future attacks.
  • Experts recommend against direct communication with attackers, advocating for the use of third-party negotiation services.

Las Vegas law enforcement, the FBI and Semperis conducted a ransomware tabletop exercise targeting the healthcare sector at Black Hat USA 2024 to address the rising threat of attacks like the one on Change Healthcare.

The exercise focused on the healthcare sector, which has been subject to a swathe of ransomware attacks in recent months and involved some of Semperis’ customers in the sector.

Notably, the cyber-attack against Change Healthcare led to delays in prescription services across the US and saw millions of individuals’ personal data breached.

During the tabletop, a red team launched a high-stakes ransomware attack against a fictitious hospital, dubbed Sunshine Healthcare. The aim of the simulated attack was to disrupt patient services to the extent that the hospital has no other option but to pay the ransom.

The scenario carried out saw social media compromised privileged credentials for an executive combined with internal vulnerabilities that existed in the network to allow the bad actor to gain access, live off the land, then exploit vulnerabilities.

Included in the teams were healthcare representatives who had previously suffered real-life incidents.

Marty Momdjian, Executive VP of Services at Semperis, told Infosecurity about the scenario carried out during Operation 911.

“For healthcare, when there is an adversary in the network decisions have to be made instantly but they can’t be executed instantly because of the level of approval needed from clinicioans,” Momdjian explained.

“You cannot stop clinical care for patients so things take time. The biggest takeaway from the red team was that the blue team can spend all the time, energy and money trying to protect every little thing but all the red team has to do is find one little hole,” he said.

While this was a simulation, we know that oftentimes healthcare services have little choice but to pay as incidents threaten the lives of patients.

Negotiations with Ransomware Gangs

Following the Change Healthcare incident, it was confirmed that parent company, United Healthcare, paid a $22m ransom to cybercriminals in the BlackCat/APLPHV gang.

Speaking to Infosecurity, Jeff Wichman, the director of incident response at Semperis and a previous ransomware negotiator said, “Each organization has its own risk tolerance on whether it is willing or not willing to pay. Really it comes down to a couple of factors of what data the attackers have, in a healthcare situation is someone’s life on the line. I think the attackers know that and will use it to their advantage.”

Wichman, a previous ransomware negotiator at Palo Alto, said the goal behind negotiations is to delay, however a healthcare organization may want to resolve the issue quickly.

“This may be detrimental because if they do not investigate how the attacker got in, they could come back,” he noted.

He noted that there are third party services should be deployed when entering negotiations with an attacker.

“I do not recommend any organization communicate with an attacker directly. Period,” Wichman said.

Listen: Change Healthcare Cyber-Attack – Inside the Disruption and the Lessons

Source: https://www.infosecurity-magazine.com/news/ransomware-drill-healthcare