Ransomware operation AlphV/BlackCat has filed a U.S. Securities and Exchange complaint against one of its alleged victims, MeridianLink, for allegedly failing to comply with the four-day rule to disclose a cyberattack. AlphV/BlackCat listed the software company on its data leak with a threat that it would leak allegedly stolen data unless a ransom is paid within 24 hours. MeridianLink provides digital solutions for financial organizations such as banks, credit unions and mortgage lenders.

Washington CNN  —  A cyberattack that diverted ambulances from hospitals in East Texas on Thanksgiving Day is more widespread than previously known and has also forced hospitals in New Jersey, New Mexico and Oklahoma to reroute ambulances, hospital representatives told CNN on Monday. All of the affected hospitals are owned, or partly owned, by Ardent Health Services, a Tennessee-based company that owns more than two dozen hospitals in at least five states. Among the hospitals currently unable to accept ambulances are a 263-bed hospital in downtown Albuquerque, New Mexico; a 365-bed hospital in Montclair, New Jersey; and a network of several hospitals in East Texas that serve thousands of patients a year. It’s just the latest example of how the scourge of ransomware – which locks computers so hackers can demand a fee – has disrupted services at health care providers throughout the coronavirus pandemic. In a statement Monday, Ardent Health Services confirmed that a ransomware attack caused the disruption and that its facilities were “diverting some emergency room patients to other area hospitals until systems are back online.” Hospital facilities were also forced to reschedule some non-emergency surgeries. Patient care “continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics,” Ardent Health said on Monday. A nurse working at one of the affected New Jersey hospitals told CNN that staff rushed “to print out as much patient information as we could” as it became clear that the hospital was shutting down networks because of the hacking incident. “We are doing everything on paper,” said the nurse, who spoke on condition of anonymity because they were not authorized to speak to reporters. “Everything becomes a lot slower,” the nurse said, referring to the reliance on paper, rather than computers, to track things like lab work for patients. “We drill on that a few times a year, but it still sucks.” Chiara Marababol, a spokesperson for two New Jersey hospitals – Mountainside Medical Center and Pascack Valley Medical Center – affected by the hack, said the hospitals continue to care for patients in emergency rooms. “[H]owever, we have asked our local EMS systems to temporarily divert patients in need of emergency care to other area facilities while we address our system issues,” Marababol told CNN in an email. Officials with the federal US Cybersecurity and Infrastructure Security Agency (CISA) reached out to Ardent Health Services on November 22, the day before Thanksgiving, to warn the company of malicious cyber activity affecting its computer systems, a person familiar with the matter told CNN. Ardent Health spokesperson Will Roberts confirmed CISA officials contacted the company “to make us aware of information about suspicious activity in our system.” But that was after Ardent Health detected “an anomaly” on its computer systems on November 20 and “engaged additional external cybersecurity resources to investigate,” Roberts told CNN. On Thanksgiving Day, Ardent Health realized it was ransomware. A CISA spokesperson referred questions about the communications to Ardent Health. The outreach to Ardent Health was part of a program CISA began this year to try to warn organizations in critical industries that they risk falling victim to ransomware attacks unless they take defensive measures. CISA officials claim to have thwarted numerous ransomware attacks through the program. The broad fallout from the Ardent Health hack shows how cyberattacks that hit a parent company or key service provider can have cascading impacts on critical infrastructure operators such as hospitals. Cybercriminals, often based in Eastern Europe or Russia, have throughout the coronavirus pandemic repeatedly disrupted healthcare organizations across the US, locking computers and demanding a ransom. Many of the hacks have hit smaller health clinics that are ill-equipped to deal with the threat. And in the last nine months alone, other cyber attacks have resulted in ambulances being diverted from hospitals in Connecticut, Florida, Idaho and Pennsylvania. A 2021 study by CISA specialists found that a ransomware attack can hinder patient care and strain resources at a hospital for weeks, if not months.

Ransomware is a major threat today, and it can be particularly harmful when it targets data backups. Offline backups are one method IT administrators lean on to protect against ransomware. Offline backups are stored on an isolated storage infrastructure that is disconnected from production applications and infrastructure, as well as from the primary backup environment. The result is an air-gapped backup copy that businesses can use for recovery in the event that the primary backup copy becomes compromised. Historically, an offline backup environment would be a good fit for data that requires less frequent access, such as long-term retention data, and data that is less business-critical. However, the simultaneous rise of cyber attacks and introduction of data privacy legislation have led to an increase in offline backups for mission-critical, frequently accessed data. While offline backup ransomware protection is an effective option, it is a complex process. Offline backups play a role in ransomware protection, and there are numerous paths to get there. Before deciding to use offline backups for ransomware protection, organizations must consider some key factors. The backup method's practicality, cost, effectiveness and ability to meet recovery objectives are critical to keep in mind. The longstanding approach to creating an offline backup environment is shipping backup copies to an off-site, disconnected tape storage location. Offline backup can be a complex and slow process The longstanding approach to creating an offline backup environment is shipping backup copies to an off-site, disconnected tape storage location. The problem with this approach is that today's IT operations teams are understaffed and significantly strapped for time, particularly in the area of cybersecurity. Many simply do not have the cycles to deploy and manage yet another infrastructure -- especially considering that the isolated infrastructure will require manual software updates to avoid security vulnerabilities.Another backup environment to protect and pay for A potential pitfall of these alternatives is infiltration of the isolated environment. As a result, the environment must be closely audited for network isolation, control over when the network connection is open, and role-based access to and control over the network and vault environment. In addition, IT operations staff must look for an option that has data immutability and indelibility. Immutability renders the backup copy read-only, so no one can make unapproved changes to the data. Indelibility inhibits the backup copy from being deleted before the conclusion of a dedicated hold period. These safeguards help protect against data exfiltration and corruption in the event that a malicious actor is able to access the isolated environment.Be aware of offline backup window and recovery time For any implementation, admins must consider the backup window. They must know how long it will take to complete the backups, as well as any potential lags or gaps between backup jobs. This fundamentally affects the business's ability to meet required recovery points. Also important to factor in is the required recovery time. Both the backup window and recovery time are largely dependent on the frequency and size of backups jobs, as well as how much data the organization backs up. VIDEO Can cloud backups be offline? New options are emerging that offer an operational isolation, such as hosting the data off site in the cloud or through a service provider. These methods require a network connection to production-facing portions of the environment in order to transfer the backup copy to the isolated environment. There are a few drawbacks to using the cloud for offline data backups. Since it is isolated, but not completely offline like tape libraries, the cloud is easier for a ransomware attack to reach. In addition, any cloud-hosted option is potentially subject to egress fees when data is recovered. This is important for IT operations staff to be aware of upfront because it is potentially a very expensive factor to overlook. Krista Macomber, senior analyst at Futurum Group, writes about data protection and management for TechTarget's Data Backup site. She previously worked at Storage Switzerland and led market intelligence initiatives for TechTarget.

As our society transforms into a more connected world, an essential component of this shift is the need for safe and secure driving experiences on our roads. The recent hacking of a Tesla in under two minutes by France security firm Synacktiv demonstrates how serious a concern this is—attackers were able to breach the cyber controls of the vehicle to carry out a number of malicious acts, including opening the trunk of the vehicle while in motion and accessing the infotainment system.As more connected and autonomous vehicles (CAVs) and electric vehicles (EVs) hit the market, it is clear that manufacturing speed is outpacing security measures. The cybersecurity of vehicles is often overlooked in the auto rollout, even though the connected nature of modern vehicles makes them susceptible to hacking and other cyber challenges.The cybersecurity of a vehicle is vital—without it, serious injuries or even fatalities can occur. Imagine the above Tesla scenario but worse—a hacker takes control over the car and locks the doors while speeding up the vehicle on a highway. The driver or passenger of the car then gets a notification on his mobile phone asking for a ransomware in bitcoins—otherwise the hacker will crash the vehicle into the side of the road.This is an extreme scenario, but such a Ransomware 2.0 incident is possible today. The big question is—Are we ready to enable incident management for such auto cyber challenges?Another complicated part of this challenge is that the cyber risk is carried by the owner or operator of either individual vehicles or perhaps an entire EV fleet. The fleet could be made up of cars, buses, or trucks, and the necessary cybersecurity controls must be in place to enable greater cyber hygiene of these vehicles. As EVs are computers on wheels, the potential for a distributed denial of service (DDoS) attack on multiple vehicles could disable an entire fleet of vehicles on our roads. Imagine hundreds of delivery or critical service vehicles out of service and those potential repercussions.Fleets also depend on other critical systems to work. An Idaho hospital cyberattack earlier this year, where ambulances were diverted to other hospitals, demonstrates just how important it is to secure the entire vehicle ecosystem and not just the vehicle itself. This attack also allows us to imagine how serious it would be if the reverse scenario was true—What if the ambulance fleet itself was rendered inoperable?If that's not enough, think about the fragile state of our current supply chain and all the issues it has faced since the pandemic. Now imagine if a cyberattack was responsible for an entire delivery fleet to stall. The supply chain and transportation infrastructure would be totally crippled, leading to major economic disruptions.It is important to highlight that these cyber challenges multiply manifold as trucking fleets move to autonomous trucks and lead to questions around legal liability in case of any cyber incident.Data collection cannot be overlooked either. CAV and EV data is rich in personally identifiable information (PII) and might also contain other sensitive information such as payment card information or commercial data (such as fleet tracking and performance). Data governance regulations need to be implemented to secure the transmission and storage of this data to ensure privacy and compliance to legal and contractual obligations.A close-up of a self-driving car.Smith Collection/Gado/Getty ImagesAlthough there are generic cybersecurity mandates in many countries, jurisdictions must legislate automotive cybersecurity specific legislations for cars operating on our roads. Countries are actively exploring the best ways to move forward with vehicle regulation—there has been emphasis on ensuring automotive manufacturers enable cybersecurity in all future models, however, with regard to operations of EVs, policies and best practices are still, slowly, being developed and legislated.One area where more focus is needed is from an owner/operator perspective, both for individual users and for fleet owners. As consumers, we are concerned about the safety features of our new vehicle, but we do not ask any questions about the cybersecurity level of the car. There is a need for user awareness of the ordinary consumer on the criticality of cybersecurity for the smooth operations of the modern vehicle.Fleet owners need to ensure they have effective cyber controls in place. They should have an asset inventory of all the software on their vehicles and ensure that they are aware of vulnerabilities and breaches for these software applications. Furthermore, they should carry out active cyber risk assessments for any third parties that develop vehicle software.Finally, they must carry out real-time cyber monitoring of the vehicles and ensure that incident management processes are in place to mitigate against any adverse cyber events. Only by proactively enabling this holistic cyber governance can these fleet owners survive in this brave new connected world.AJ Khan is the founder and CEO of Vehiqilla Inc and a Catalyst Industry Fellow at Rogers Cybersecure Catalyst, Toronto Metropolitan University's center for research, training, and innovation in cybersecurity.The views expressed in this article are the writer's own.

MGM's ransomware attack in September is expected to have $100 million negative impact for Q3 due to cleanup costs and lost business.

 Cybersecurity incidents continue to grab headlines this year, from the MOVEit file-transfer vulnerability to LockBit ransomware attacks.As the threat landscape has grown in recent years, healthcare organizations have increasingly felt its damaging impacts. In Germany, for instance, a 2020 ransomware attack on a hospital redirected a patient away from the nearest hospital, resulting in a fatal outcome.“Hospitals have historically been seen as out of scope for threat groups in the past,” says Anna Quinn, security analyst and penetration tester at Rapid7. “Ransomware as a Service is picking up. Threat groups are becoming much less discriminating about who they attack. We’re not safe in our bubble anymore.”Healthcare organizations must also prepare for more targeted attacks from nation-state actors and other politically motivated groups, she adds.What can healthcare organizations do to improve their cybersecurity strategies? One immediate step: Turn on multifactor authentication, which has also been recommended by the Cybersecurity and Infrastructure Security Agency during Cybersecurity Awareness Month. Rapid7’s 2023 Mid-Year Threat Review found that 39 percent of incidents observed by the company’s managed services team were from missing or careless MFA.Quinn spoke to HealthTech about the importance of network segmentation, how to take advantage of pen testing and how physical security is connected to cybersecurity.Click the banner to get the expertise you need to strengthen your ransomware protection. HEALTHTECH: What are areas of focus healthcare organizations can target immediately to bolster their security? What about areas that require long-term efforts?QUINN: For both the short and long term, asset inventory and management is going to be one of the most effective things that you can do as an organization to make sure that you are protected. It’s not just knowing what devices you have but knowing where the devices live, both physically and on the network; knowing how many you have; what operating systems or firmware they're running; and when they were last updated.This is an extensive project for a lot of hospitals. There’s a lot of gear shifting around all the time. All of this makes it incredibly tricky to track, and it makes asset inventory even more critical, because it can be so easy to lose track of what you have, and that can allow an attacker to potentially find untracked and unpatched devices and get further into the network.In the long term, I would suggest investing in strong network segmentation. As a security or network engineer entering a healthcare organization, you will often notice that the network doesn’t have a lot of strong segmentation, and in some cases you may inherit a network that requires a lot of updating. Unfortunately, there isn’t always the funding to support large-scale infrastructure revisions, which can really impact things long-term. It can be costly to get a network into a completely segmented and safe position. But that's one of the biggest contributors to making sure that you are going to be safe as an organization.Strong network segmentation can help mitigate the risks of any breaches that occur. With proper segmentation, for example, you can make sure that your dialysis machines are on their own network and segmented away from everything else. You can make sure that your lab equipment and similar devices are secured away, so that in the worst-case scenario, if you do get hit by ransomware, the ransomware will not deploy to those particular specific networks. That can save lives.DISCOVER: Answer your questions about identity-related vulnerabilities and segmentation.HEALTHTECH: Why should healthcare organizations conduct regular penetration testing? How should they approach pen testing? What are some common misconceptions?QUINN: Healthcare organizations should conduct regular pen testing to find and cut off any paths that an attacker might be able to find within their networks. More and more, it’s a prerequisite that we assume that a breach has already occurred in our organization, regardless of whether it was accomplished through phishing, an exploit or an insider threat. It becomes imperative that we address the network as though it has already been compromised and that we find out how an attacker could compromise further systems or cause damage to the environment through such access.One common misconception is that pen testing and vulnerability scanning are the same thing. The biggest differentiators that we have between pen testing and vulnerability scanning is that vulnerability scanning will find vulnerabilities within the network, but it won’t chain those together and create an attack path.Say that you have a server that has a known exploit against it: The pen tester could actually exploit that vulnerability, chain that with other discovered misconfigurations or vulnerabilities, and gain access to systems that you believed would be secured. Meanwhile, a vulnerability scan will simply tell you about that vulnerability. That’s why it's important to do pen testing: to see what additional compromise can happen should a system become compromised.It’s easy to review a vulnerability scan against our network and say that we’re all patched, we’re all up to date, we should be safe. But without that verification and manual testing, there could be additional vulnerabilities that an attacker can exploit to cause an extensive compromise of your environment. Active Directory in particular has quite a few misconfigurations and vulnerabilities that could lead to a compromise, and these don’t tend to be caught by the typical vulnerability scanner.Pen testers are there to help. Many businesses see preparing for a pen test as preparing to either succeed or fail as a security team. But that’s not the approach that’s most conducive to a good test. What we should be trying to accomplish in pen testing is to have a known party find these vulnerabilities for you. You want them to find all of your vulnerabilities; you want them to find attack paths that could be abused. If we do not find them on our side, an attacker will, and the attacker is not going to have the same mindset that we have when we approach it. They are going to be looking to cause damage. They’re going to be looking to exploit those systems to extort anything they can get from you or bring you down.  HEALTHTECH: What are the top lessons you’ve learned in your experience as a pen tester that you can share with other healthcare organizations?QUINN: A flat network, as we call it, could be something where, if I had gotten onto a workstation, I could contact most other servers or devices on that network, and I could attack those. It makes it incredibly easy for an attacker to move around the network.I’ve had healthcare facilities that I’ve tested that had relatively flat networks. In one case, I was able to get into the virtual sitter systems and view patients in their rooms. I could access patient data because the computers on the floor did not have adequate segmentation. This allowed me to sign in with breached credentials, and I was able to get into their Epic system and access patient data.In addition to that, MFA is a massive security factor that needs to be implemented. Implementing MFA, while it can be a bit of a cost to a company, can drastically decrease the risk of breach.Last, I would say that cybersecurity and physical security are actually very closely linked. And it’s not just whether you can get to critical systems. It’s whether an actor can get to a network jack that hasn’t been properly decommissioned, and in doing so, connect to the network and gain access through that. It is whether an attacker can get into your facility and potentially implant devices to call back to C2 servers and compromise your network. Having strong physical security controls and access restrictions in the hospital is incredibly important.Strong physical security and policies around device removal can also prevent access to sensitive wireless networks, which may otherwise be properly secured. One of our lead researchers, Deral Heiland, recently performed extensive tests against medical pumps, discovering that many of them still contained Wi-Fi passwords for medical centers around the country after being decommissioned and recycled. If an attacker can gain access to such passwords, they can get onto protected medical device networks and cause a significant operational impact.READ MORE: How can healthcare organizations grow with smarter backup strategies?HEALTHTECH: When it comes to conversations about combating ransomware in healthcare, what do you think is missing from the conversation? Where should people focus?QUINN: It’s funding. It can be quite costly to perform some of the actions that I’ve recommended here, especially when you’re doing network or infrastructure upgrades at scale. It can be costly as well to increase your workforce for security, whether physical or cyber. It is a difficult battle at times for security teams to justify making such sizable cost investments when executives and board members don’t see the work put in to prevent significant cyberattacks. It’s definitely a pain point for a lot of organizations that I’ve worked with. I’ve worked with a few facilities that have skeleton crews of two or three people doing the best that they can. We need more people for stronger security. We need funding and we need people to help fight on these front lines. The goal is to help people and to save lives, and we all need to invest in that if we truly believe in that mission. Getty Images: filo (bubble graphics, icons), bounward (icons); Streamline (icons)