Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
Group Claims a NY Surgical Center and a Nevada Medical Center Among Recent Victims
A relatively new Russian-speaking ransomware group is looking for targets in the healthcare sector and claims to have stolen sensitive patient information in recent attacks on at least two medical care providers in New York and Nevada.
See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical
The Everest ransomware group has been active since 2020, engaging in data extortion and ransomware operations, along with initial access broker activity, said the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in a Tuesday advisory.
“The group has increasingly targeted the healthcare industry since 2021, and claimed responsibility for a recent incident impacting a surgical facility in the United States,” the advisory says. It appears that, from April 2021 to July 2024, Everest has attacked at least 20 healthcare sector entities.
Everest on its dark web leak site lists a variety of recent victims, including Gramercy Surgery Center. It claims to have 450 gigabytes of data it allegedly exfiltrated from the New York-based practice, including personal and medical information pertaining to its patients and doctors.
Gramercy in a notice posted on its website said it learned on June 18 that it may have been the victim of a cyberattack. On June 28, Gramercy determined that certain documents stolen within its IT environment “were copied from or viewed on the system as part of the incident between June 14 and June 17.”
Everest also lists on its data leak site Nevada-based Horizon View Medical Center and claims to have stolen medical record information, including test results and other sensitive patient data.
As of Thursday, Horizon View did not appear to have a notice posted in its website about the alleged incident, and it did not immediately respond to Information Security Media Group’s request for comment about Everest’s claims.
Based on the HHS HC3 alert, the American Hospital Association on Wednesday issued a warning to hospitals about Everest threats.
“Yet another Russian-speaking ransomware group targets U.S. healthcare,” John Riggi, AHA national adviser for cybersecurity and risk, said in the alert. “Everest appears to have morphed into what is known as an ‘initial access broker’ meaning their role in the underground Russian ransomware economy is to facilitate ransomware attacks by initially gaining unauthorized access to a victim organization through such means as credential theft.”
Everest sells the unauthorized access to other cybercriminals, who conduct ransomware attacks, Riggi said. “Everest, like other gangs, utilizes legitimate cybersecurity threat simulation tools such as Cobalt Strike to facilitate their attacks.”
Everest was first observed acting as an initial access broker around November 2021, HHS said. “The ransomware strain has previously been linked to the EverBe 2.0 family and, based on more recent analysis of its ransomware, researchers have also linked Everest to the Russia-based ransomware group BlackByte.”
The group uses compromised user accounts and remote desktop protocol to move laterally across victims’ networks. “By exploiting weak or stolen credentials, they can access multiple systems within a target organization. Everest utilizes tools like ProcDump to create copies of the LSASS process, allowing them to extract additional credentials.”
The AHA and HC3 recommended that hospitals and other healthcare organizations set network monitoring tools to alert for Cobalt Strike activations. It also recommended reviewing domain controllers, servers, workstations, and active directories for new or unrecognized user accounts; regularly backing up data; air gapping data copies; and password-protecting backup copies offline.
Besides healthcare, Everest has also attacked organizations in construction and engineering, financial services, legal and professional services, manufacturing and government.