The FBI has issued an urgent advisory addressing a surge in ransomware attacks impacting 210 organizations across various sectors.
At a Glance
- Ransomware attacks disrupt operations and cause data loss.
- RansomHub ransomware gang responsible for 210 attacks since February 2024.
- The FBI advises against paying ransoms as it may encourage further attacks.
- Iran-based cyber actors enabling ransomware attacks on U.S. organizations identified.
FBI Issues Urgent Advisory
The FBI has released an urgent advisory due to a significant increase in ransomware attacks affecting 210 organizations across different sectors, including IT, government, healthcare, finance, transportation, and emergency services. This warning aims to boost awareness and encourage stronger cybersecurity measures to protect sensitive data from cybercriminals.
https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/ransomware
In their advisory, the FBI highlights that ransomware is a type of malicious software designed to block access to a computer system or data, typically demanding a ransom to restore access. These attacks can severely disrupt operations and result in the loss of critical information.
The current wave of attacks is attributed to the RansomHub ransomware gang, which has executed 210 attacks since February 2024, utilizing double-extortion tactics. They encrypt and exfiltrate data from their victims, who range from prominent organizations like UnitedHealth Group to Halliburton.
ALPHV Blackcat ransomware affiliates continue to victimize critical infrastructure entities, particularly in the healthcare sector. See new TTPs, IOCs and mitigations in an updated joint #CybersecurityAdvisory from the #FBI, @CISAgov and @HHSgov: https://t.co/Engzmmc8nd pic.twitter.com/3gA0dPXcYV
— FBI (@FBI) February 28, 2024
FBI Cybersecurity Recommendations
The FBI advises against paying ransoms, stating this does not guarantee data recovery and may encourage further attacks. Instead, they recommend three immediate measures to mitigate the risk: install updates, use phishing-resistant multi-factor authentication, and educate users on phishing tactics.
The FBI, along with CISA and DC3, has also issued an advisory identifying Iran-based cyber actors responsible for enabling ransomware attacks on U.S. organizations. Known as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, these actors have been linked to the Government of Iran and an Iranian IT company. Their operations primarily focus on deploying ransomware to gain and develop network access.
Iran-based Cyber Threat
These cyber actors coordinate with ransomware gangs, targeting sectors such as education, finance, healthcare, defense, and government entities. Their ongoing campaigns involve scanning for internet-facing vulnerabilities and exploiting them to infiltrate networks. They are also noted for selling network access on criminal marketplaces and partnering with ransomware operations like NoEscape, Ransomhouse, and AlphV.
“This alert demonstrates the close ‘international cooperation’ between hackers to exploit cyber espionage campaigns for criminal profit,” said John Riggi, AHA national advisor for cybersecurity and risk.
Organizations are advised to patch specific vulnerabilities, particularly those in products from Check Point, Palo Alto Networks, Ivanti, Citrix, and BIG-IP F5. The advisory also details known indicators of compromise and tactics, techniques, and procedures used by these actors.
“The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,” the agencies said.
As ransomware threats continue to evolve, it is critical for organizations to remain vigilant and proactive in their cybersecurity efforts. The FBI’s advisory emphasizes the necessity of robust defenses and swift responses to shield against the crippling effects of ransomware attacks.