The Breach Report: February 28, 2024

FBI warns U.S. Healthcare industry about ALPHV ransomware

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

FBI Warns U.S. Healthcare of Escalating Ransomware Attacks

FBI Warns U.S. Healthcare of Escalating Ransomware Attacks

The FBI warns the U.S. healthcare industry of escalating cyberattacks from the ALPHV Blackcat ransomware group.

The Federal Bureau of Investigation (FBI) warns the U.S. healthcare industry of escalating ransomware attacks in a new joint advisory with the Cybersecurity & Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS). The advisory provides new, known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) of the ALPHV Blackcat Ransomware-as-a-Service (RaaS) group.

ALPHV responsible for UnitedHealth cyberattacks

The warning comes as the U.S. healthcare industry remains disrupted for over a week after cyberattacks and a breach into UnitedHealth and its subsidiaries’ electronic data interchange (EDI) clearinghouse. The attacks have forced many individuals needing prescription refills to pay out of pocket, seek a different pharmacy, or be left without their prescriptions as pharmacies remain unable to process insurance claims.

Since the initial disruption of the UnitedHealth systems, ALPHV has now been attributed to the cyberattacks. Initially, the attacks were thought to have been a nation-state actor. Google Mandiant cybersecurity specialists have since been hired to investigate the breach.

According to the advisory, the updated IOCs and TTPs contain threat intelligence as recent as this month. The IOCs are available in XML and JSON formats for customers to use to help detect the ALPHV ransomware strains on their networks.

ALPHV gains access to target networks with legitimate remote access tools such as Ngrok. Once inside the target network, ALPHV employs cybersecurity tools such as Cobalt Strike and Brute Ratel C4 as beacons to command and control servers. They then use Evilginx2 to extract multifactor authentication (MFA) credentials, login credentials, and session cookies to hijack.

Typically, ALPHV evades detection by using whitelisted applications such as Metasploit. Logs are then purged from the domain controller. Cloud-hosted storage providers such as or Dropbox are used to exfiltrate valuable target data. Finally, ransomware is deployed on the target network, and a ransomware note is left with instructions to pay to recover access and decrypt the files.

Access the joint agency advisory with access to IOCs and TTPs using the MITRE ATT&CK framework for the complete documentation.

ALPHV remains resilient, with U.S. Government offering millions for arrests

Since December 2023, ALPHV has claimed over 70 victims and leaked their data to the public. The U.S. healthcare industry remains their top target, likely due to the complexity, sensitivity, and ease of breaching these networks.

The FBI had attempted to disrupt and dismantle the entire ALPHV Blackcat ransomware gang back in December 2023. But similar to the LockBit ‘Operation Cronos’ effort, ALPHV has proved resilient.

The U.S. Department of State is now offering up to $15 million for information leading to identifying or locating key leadership members of the ALPHV Blackcat ransomware gang. Additionally, up to $5 million is available for information leading to the arrest or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware activities.

Cybersecurity Headlines

New from our favorite blogs and journalists:

Cybersecurity Podcasts

New podcasts from some of our favorite cybersecurity/infosec personalities:

  • The Cyber Queens - LIVE E49 - Optimizing Your Layoff: Networking, Upskilling, and Mindset (Twitter/X)

  • The Darknet Diaries: Ep 17: Finn - A 14-year-old kid who finds himself bored in class decides to hack someone's Twitter account and ends up with more than he bargained for. (

  • The Phillip Wylie Show: Cathy Ullman - The Power of Active Defense. Cathy Ullman is known in the cybersecurity community as Investigator Chick. (YouTube)

  • Hacker Valley Media - The Future of Endpoint Threats and Why Zero Trust is the Only Option (Twitter/X)

  • Google Cloud Security Podcast - EP161 Cloud Compliance: A Lawyer - Turned Technologist! - Perspective on Navigating the Cloud (Google Cloud)

  • Defense Mavericks - Instilling AI Readiness Across Your Teams with Capt. Jonathan Haase (Apple Podcasts)

How did you like this issue of The Breach Report?

Login or Subscribe to participate in polls.

Until next time…

Rob Waters
Founder, The Breach Report + Cybersecurity Careers Blog

Join the conversation

or to participate.