The US government, in collaboration with the FBI, CISA [2] [5] [6] [7], and HHS [1] [5] [7], has issued a warning to the healthcare sector about the BlackCat ransomware group [7], also known as ALPHV [2] [7].


BlackCat has targeted nearly 70 victims since mid-December 2023 [7], with healthcare being the most commonly victimized industry [6] [7]. The group has adapted its techniques following law enforcement operations [7], employing victim-specific emails and offering cyber remediation advice as an incentive for payment [7]. BlackCat has released an updated ransomware version [7], the 2.0 Sphynx upgrade [1], capable of encrypting Windows [1] [7], Linux [1] [7], and VMware devices [7]. Affiliates use advanced social engineering techniques to gain initial access to victim networks [7], posing as IT or helpdesk staff to obtain credentials [7]. They deploy remote access software and legitimate tools for lateral movement [7], exfiltration [7], and data encryption [7]. Affiliates communicate with victims via TOR [7], Tox [7], email [7], or encrypted applications [7], using URLs for live-chat communication and data exfiltration [7]. The advisory recommends implementing application controls for secure remote access [7], phishing-resistant MFA [7], network monitoring tools [7], internal mail and messaging monitoring [7], and user awareness training to combat BlackCat ransomware attacks [7].

Hospitals are urged to take mitigation measures to prevent ransomware attacks [1], as BlackCat is identified as one of the world’s most prolific ransomware operators [1], alongside LockBit and Cl0p [1]. The gang recently claimed responsibility for an attack on Change Healthcare [5] [6], stealing 6TB of data [3] [5], including source codes and information on healthcare providers [5]. The US Department of State is offering rewards for information on the gang’s leaders [5]. ALPHV/BlackCat affiliates use social engineering and remote access tools to obtain credentials and move laterally throughout networks [5]. The guidance recommends securing remote access tools and deploying strong MFA to prevent ransomware incidents [5]. The Change Healthcare breach may be part of an ongoing trend of healthcare sector targeting by ransomware groups [5]. Security researchers suggest a critical ConnectWise ScreenConnect vulnerability may have been involved in the attack [5], although ConnectWise denies any connection [5]. The trend of healthcare ransomware breaches is expected to continue [5], with resource limitations posing challenges for mitigation efforts [5]. The ALPHV BlackCat ransomware gang has threatened retaliation against countries involved in its takedown and has given affiliates the green light to target hospitals [3], with pharmacies such as Walgreens and CVS Health being targeted [3]. A ransomware attack on technology provider Change Healthcare has disrupted pharmacies’ ability to process orders paid for through insurance [3], with ALPHV BlackCat claiming responsibility and stating that they have stolen 6TB of data [3]. The US government is offering a $15 million reward for information on the group’s activities [4], and UnitedHealth is working with cybersecurity firms to address the breach [4], but it is unclear if the company plans to pay the ransom demanded by BlackCat [4].


The impact of BlackCat ransomware attacks on the healthcare sector is significant, with data breaches and disruptions to critical services. Mitigation efforts [5], such as implementing secure remote access controls and strong MFA, are crucial to prevent future attacks. The ongoing trend of healthcare sector targeting by ransomware groups highlights the need for increased cybersecurity measures and vigilance.