The group was able to prevent an attempted cyberattack thanks to the measures that were swiftly put in place by the Christus IT. These mitigation actions restricted the extent of the damage that the cyberattack was able to inflict and stopped it from impacting its patient care and clinical procedures. The group has contracted a third-party cybersecurity firm to review the breach and estimate the extent of the damage that was inflicted.
Responsibility has been claimed by a new ransomware collective called AvosLocker. The groups works on the ransomware-as-a-service (RaaS) model. They were first identified by cybersecurity experts during July 2021. The hacking group employs double extortion tactics and has been witnessed downloading data before applying encryption tactics. Following this it threatens to sell the stolen data if the ransom demands are not met.
The amount of attacks being carried out by Avosocker has been constantly on the rise, with reports from Trend Micro showing that a minimum of 30 attacks were carried out during during January 2022 and then 37 attacks during February.
The group’s trademark is to target unpatched vulnerabilities in order to obtain access to corporate databases. They are known to target compromised RDP and VPN details. It remains unknown where their operations are located from, more than likely it if within Russia or one of the closeby Post-Soviet states. The reasoning behind this theory is that the group will not allow attacks to take place in those countries. During March 2022, a joint cybersecurity advisory was released by the FBI and the Department of the Treasury which provided Indicators of Compromise associated with AvosLocker.
Avoslocker has been focused on critical infrastructure entities located in the United States, including healthcare groups. One of the most recent targets was McKenzie Health System in Michigan, which was infiltrated by the gang during March 2022. The PHI of 25,318 individuals may have been stolen in that attack, a range of which is thought to have been made available via the AvosLocker dark web leak site.
AvosLocker has released a sample of data using its dark web leak site which is thought to have been obtained during the cyberattack on Christus Health.