����������

The Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) this week released an advisory about Everest, a ransomware-as-a-service group increasingly targeting the health care field. The group is known to access systems through compromised user accounts and common remote access tools.

“Yet another Russian-speaking ransomware group targets U.S. health care,” said John Riggi, AHA national advisor for cybersecurity and risk. “Everest appears to have morphed into what is known as an ‘initial access broker’ meaning their role in the underground Russian ransomware economy is to facilitate ransomware attacks by initially gaining unauthorized access to a victim organization through such means as credential theft. They then sell the unauthorized access to other gangs, who conduct the ransomware attack. It is noted that Everest, like other gangs, utilizes legitimate cybersecurity threat simulation tools such as Cobalt Strike to facilitate their attacks. It is recommended that health care organizations set network monitoring tools to alert for Cobalt Strike activations, implement the recommended mitigations included in the alert, and implement the voluntary health care cybersecurity performance .”

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.