The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) issued an advisory this week regarding Everest, a ransomware-as-a-service (RaaS) group targeting the healthcare sector that is known to gain access to systems through compromised user accounts and common remote access tools.
“Another Russian-speaking ransomware group is targeting U.S. healthcare,” said John Riggi, AHA's national advisor for cybersecurity and risk. “Everest appears to have morphed into what we call an 'initial access broker,' meaning their role in the Russian underground ransomware economy is to initially gain unauthorized access to victim organizations through credential theft and other means, and then facilitate ransomware attacks. They then sell the unauthorized access to other gangs, who then carry out the ransomware attacks. Everest, like other gangs, has been noted to be using legitimate cybersecurity threat simulation tools such as Cobalt Strike to facilitate their attacks. Healthcare organizations are encouraged to set up network monitoring tools that alert for Cobalt Strike launches, implement the recommended mitigations included in the alerts, and implement voluntary healthcare cybersecurity performance targets.”
For more information on this or other cyber and risk issues, contact Riggi at [email protected]. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.
