Norton Healthcare recently faced a cyber attack when they received a suspicious message on May 9. After initial reports of a “cyber-incident”, it has now been confirmed that it was a ransomware attack by the ALPHV/BlackCat ransomware group. Screenshots of data leaked by the group showed that they had exfiltrated photos, millions of SSN records, 25,000 employee data, clinical imaging data, and more. In a statement on their leak site, ALPHV revealed that Norton Healthcare executives and board members did not try to protect the privacy of their clients and employees, and that they had made false statements in recent news. The ransomware group demanded a ransom payment and threatened to release the data if their demands were not met.
While the cyber attack was first announced on May 10 through Facebook, it was not until May 12 that Norton Healthcare confirmed it was indeed a cyber attack. The disrupted services included Norton eCare and Norton My Chart, the healthcare service’s electronic medical records software. According to the healthcare’s news release updated on May 24, same-day appointments for illnesses or minor injuries, emergency care, some procedures including exams and appointments, sharing test results and images, prescription refill, and online payments for Norton MyChart were impacted by the attack.
Several patients spoke up about delayed healthcare services for reports and results due to the attack. Despite this, Norton Healthcare has assured their community that their processes have changed so that care can continue. The healthcare provider serves nearly 600,000 patients across Louisville, a year. It has $4.7 billion worth of assets with five hospitals, eight outpatient centers, 18 urgent care clinics, and 289 doctor’s offices.
The ALPHV/BlackCat ransomware group is among the top three ransomware gangs by the number of victims till date. Healthcare sector continues to be one of its preferred targets. The Health Sector Cybersecurity Coordination Center of the US Department of Health and Human Services in January alerted about the BlackCat ransomware group’s operations in the healthcare sector, particularly its triple extortion tactic. This means that in addition to encrypting data and demanding a ransom, the group also threatens to leak the data and launch distributed denial-of-service attacks if the ransom is not paid.
BlackCat is believed to have emerged from Darkside and BlackMatter, and is connected to former members of the REvil group. BlackCat has demanded ransom payments as high as $1.5 million, with affiliates retaining 80% to 90% of the extortion payments. The group frequently updates its tooling and arsenal as they undergo testing and usage cycles, making it a dynamic and evolving threat. Security researchers have identified instances where BlackCat attackers have utilized a PowerShell command to download Cobalt Strike beacons on affected systems, as well as a penetration testing tool called Brute Ratel, which exhibits remote access features similar to Cobalt Strike. The encryption methods employed by BlackCat include ChaCha20 and AES, along with six encryption modes: Full, HeadOnly, DotPattern, SmartPattern, AdvancedSmartPattern, and Auto.
The Norton Healthcare cyber attack is yet another reminder of the ongoing cyber threats faced by the healthcare industry. With sensitive personal and medical data, healthcare organizations have been a prime target for malicious actors. As threats continue to evolve, healthcare providers need to prioritize the security of their systems and data to prevent similar attacks in the future.