In October 2023, multinational healthcare solutions provider Henry Schein made a shocking admission. Earlier in the month, the BlackCat (ALPHV) ransomware gang attacked the healthcare giant’s systems. Dozens of terabytes of data had been stolen, including valuable payroll data and shareholder data.
Scrambling to respond, Henry Schein promptly took certain systems offline, hoping to contain the incident. Temporary disruption ensued, and law enforcement agencies were informed.
The flagrant ransomware attack marks a growing trend of hacking and cybercrime. According to PBS, ransomware attacks are “on the rise.” Healthcare, in particular, is a major target and cybersecurity vulnerability. Indeed, as one study highlighted, ransomware attacks exposed the personal health information (PHI) of 42 million patients between January 2016 and December 2021.
In this article, we explore the Henry Schein attack, asking who BlackCat is, what they did, and how you can protect yourself from similar cybersecurity attacks. If it can happen to one of the biggest healthcare companies, it can happen to you.
We’ll cover:
- What is BlackCat Ransomware?
- BlackCat and Henry Schein: What Happened?
- How BlackCat Works
- Identifying a BlackCat Ransomware Attack
- Cybersecurity: Preventing a Ransomware Attack
What is BlackCat Ransomware?
The question isn’t what, but who. First detected in late 2021, BlackCat, also known as ALPHV or Noberus, is a sophisticated strain of malware created to infiltrate cybersecurity systems, identify valuable data, and hold a company to ransom.
Like good old-fashioned blackmail, the hackers threaten to release the stolen data unless their ransom is paid. However, it’s not sordid secrets being ransomed but patient health information (PHI) or internal company details.
Behind the BlackCat ransomware is the Russian-speaking cybercrime group ALPHV. Written in the Rust programming language – a new language renowned for its high performance and memory safety – the malware can compromise both Windows and Linux-based operating systems.
Operating as a “ransomware-as-a-service” (RaaS) attack, the group demands payment or else:
- They won’t decrypt the infected files.
- They’ll publish the stolen data.
- They’ll launch a denial of service (DoS) attack, collapsing the organization’s systems.
The group has been wildly successful. Between November 2021 and September 2022, BlackCat targeted and compromised the cybersecurity systems of an estimated 200 enterprise organizations. Key industries were financial, manufacturing, legal, health, and professional services. However, the group will target anyone and everyone.
BlackCat and Henry Schein: What Happened?
On October 15, 2023, Henry Schein disclosed publicly that it was forced to take a particular system offline and enact other precautionary measures after a severe ransomware attack. Beginning a day earlier, IT specialists at the global healthcare giant identified that a portion of its manufacturing and distribution businesses were experiencing a cybersecurity incident.
Thanks to the immediate action, the company could restrict the attack to these sectors – its practice management software, for instance, was unaffected.
The Scale of the Damage
Regardless, the attack did significant damage, not just to Henry Schein’s internal IT systems but also to the company’s reputation. Over a week after the cyberattack, the healthcare services provider was forced to ask clients only to place orders via a Henry Schein representative or using dedicated telesales phone numbers. Their IT services remained unsafe.
Henry Schein is by no means a small fry in the sector. With more than 23,000 team members worldwide, it’s a Fortune 500 company boasting operations in 32 countries and a revenue of over $12 billion in 2022. Such a large organization is a major target; however, it’s also expected to have robust cybersecurity protocols in place. Yet, despite their immediate action, the ransomware attack was devastating.
Another Company Scalped
Two weeks after the attack, BlackCat/ALPHV added Henry Schein to its dark web leak site. The group had scalped a major corporation and boasted that it had breached the network and stolen 35 TB of sensitive files.
Furthermore, the gang revealed that the company’s devices had been encrypted as negotiations between the two parties stalled. It came as Henry Schein had almost restored their systems. In a statement, the criminal gang said:
“Despite ongoing discussions with Henry’s team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network.”
As a result, some internal payroll data and shareholder folders were published. However, these were subsequently deleted, indicating an agreement between the two parties. Henry Schein – an international corporation – was likely forced to pay the ransom.
How BlackCat Works
BlackCat is highly effective. Unlike previous ransomware attacks, it’s proven a more dangerous and insidious threat. However, that doesn’t mean it’s foolproof. By understanding how the malware works and operates, companies can identify weaknesses in their cybersecurity architecture and take appropriate action.
Here’s how BlackCat functions:
- Initial Credential Access. First, for BlackCat to gain access, it must obtain the relevant credentials. Its initial attacks, therefore, use phishing, brute force, or illicit purchase to gain credentials. This is the dent in the armor – the weakness BlackCat will exploit to gain entry. Using these credentials, the malware gains access to Remote Desk Protocol (RDP) connections and Virtual Private Network (VPN) services. The attackers also exploit any published vulnerabilities, such as CVEs (e.g., CVE-2019-7481).
- Establishing Control. The second stage commences once the group gains entry. It involves setting up reverse SSH tunnels to a BlackCat-controlled command-and-control (C2) infrastructure. This setup is fully command-line driven, human-operated, and highly configurable.
- Lateral Movement and Data Targeting. Like a burglar gaining access to a building, the first attack is forward, but once inside, it’s time to explore. Using tools like PsExec to attack Active Directory user and administrator accounts, the group looks for sensitive files to exfiltrate or encrypt.
The malware’s primary payload is noteworthy for being the first to be written in the Rust programming language. Unlike its counterparts, this allows it to gain access to several versions of Windows (XP and later, including Windows 11), Windows Server version since 2008, Debian and Ubuntu Linux systems, ESXI virtualization hypervisor, and certain network-attached storage products like ReadyNAS and Synology.
Worse, because BlackCat can enter systems through several potential vulnerabilities, it reduces the ability of organizations to defend against attack. Think of your cybersecurity as a castle – usually, the “gatehouse” is the most vulnerable area, allowing defenders to concentrate their defenses. However, by creating other gateways into the network, BlackCat scatters and diffuses the defenses, allowing easy entry.
Such variation markedly raised an organization’s risk of encountering BlackCat and limits potential defenses. As Microsoft explained, “…no two BlackCat “lives” or deployments might look the same.”
Identifying a BlackCat Ransomware Attack
As the Henry Schein incident proved, the earlier you can identify a ransomware attack, preventing lateral movement, the better. Companies can rapidly shut down systems, restricting access to valuable or sensitive data.
Called indicators of compromise (IOC), they’re the tell-tale signs an attack is underway. These can include file hash signatures, command and control (C2) IP addresses, and other markers released by the FBI to aid cybersecurity experts.
Some common signs of a BlackCat ransomware attack include:
- Unusual Remote Access Activity: Noticeable increase in Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) logins, possibly from unfamiliar locations or at odd hours.
- Network Lateral Movement: Indications of internal network scanning or unauthorized access to sensitive areas, especially Active Directory accounts.
- Command-Line Anomalies: Unusual command-line activity or scripts running, indicative of human-operated, command-driven attack processes.
- Unexpected File Encryption: Discovery of encrypted files with unfamiliar extensions or ransom notes appearing in directories.
- Data Exfiltration Symptoms: Unusual outbound network traffic suggesting large volumes of data being sent to unknown external IP addresses.
- System Slowdown or Failures: Sudden slowdown or failure of systems and applications, possibly due to encryption processes running in the background.
- Security Software Tampering: Signs of disabled or bypassed antivirus and other security software.
- Suspicious SSH Traffic: Evidence of reverse SSH tunnels or other unexpected SSH traffic within the network.
- Intrusion Alerts: Security system alerts indicating unauthorized access attempts or exploitation of known vulnerabilities (e.g., CVEs).
Fail to identify these signs early, and the ransomware takes longer to pry into your system. That means more PHI is stolen or encrypted, and the final ransom demand will increase. While Henry Schein was still likely forced to pay some form of ransom, because they stopped the attack early, the cost may have been mitigated.
Cybersecurity: Preventing a Ransomware Attack
Think you’re safe from a ransomware attack. You’re wrong. No matter how small you are, you’re at risk. Any healthcare or dental provider can be compromised – and if your website is compromised, so too are your account credentials and associated passwords.
So, are we entering a new age of piracy? Are we simply easy targets for cybercriminals?
Absolutely not! Even for smaller healthcare and dental practices, preventing a ransomware attack – even a sophisticated one like BlackCat – is possible. The most effective defense is to outsource your cybersecurity. Relying on an in-house team of IT specialists is unlikely to provide the level of security necessary to safeguard against an attack. Only a professional, experienced cybersecurity agency has the expertise and tools to defend your system.
Nonetheless, there are some simple proactive and reactive strategies you can employ. These include:
Proactive Measures
- Strengthen Credential Security. Since BlackCat exploits weak or stolen credentials, enforcing strong password policies and multi-factor authentication (MFA) can safeguard against this potential vulnerability. MFA, in particular, should be implemented for Remote Desk Protocol connections, VPNs, and other critical access points.
- Regularly Update and Patch Systems. Sometimes, dental practices ignore the simplest factors. Keeping all systems and software updated with the latest patches – especially those guarding against ransomware like BlackCat – is the absolute minimum for cybersecurity.
- Segment Network Access: Network segmentation limits the lateral movement capability of ransomware. By segmenting networks and restricting access to sensitive areas, you can contain the spread of an infection.
- Employee Education and Awareness. Sadly, people are the biggest weakness in any organization. Opening a phishing email or giving up credentials allows cybercriminals to access your data. Training staff to recognize phishing attempts and suspicious activities prevents initial entry points for ransomware. And, if BlackCat cannot gain access, it cannot begin lateral movement.
- Robust Backup Security. Much of the ransomware demands occur because a group has encrypted valuable PHI. Only by paying the ransom can you regain access. Unless, of course, you have regular, secure, and tested backups. This is your safety net. Ensure backups are stored off-site or in an isolated network to avoid simultaneous encryption.
Reactive Strategies
- Immediate Isolation of Infected Systems. At the first sign of a BlackCat attack, disconnect the affected systems from the network to prevent further spread. This includes Wi-Fi, wired networks, and any storage devices.
- Activate Incident Response Plan. Implement your organization’s incident response plan, which should include containment, eradication, and recovery steps. Rapid response is crucial in limiting damage.
- Notify Law Enforcement. Among the first things Henry Schein did was to notify law enforcement. Not only do these organizations provide additional support, but they’re also critical in the larger fight against cybercrime.
Closing Thoughts
Henry Schein’s attack sent shockwaves through the healthcare industry. It was a stern reminder that anyone – even the giants – is vulnerable to a ransomware attack. Smaller healthcare groups and dental practices shouldn’t go alone. Becoming reliant on a small in-house team won’t provide the level of cybersecurity necessary to ward off the latest hacks and attacks.
Remember, the moment your system is compromised, urgent action is required. However, with a proactive approach to password security and other system vulnerabilities, you can prevent attacks from occurring in the first place. Staying one step ahead isn’t just a strategy; it’s a necessity.
Sources:
https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts
