HHS is warning the healthcare sector about a ransomware group that has been stepping up its attacks on the industry and recently disrupted hospital operations in the U.K.
The Qilin ransomware-as-a-service organization, initially launched as Agenda in 2022, likely originates from Russia and has attacked at least 15 healthcare and public health organizations worldwide since October 2022, according to the June 18 notice from HHS' Office of Information Security and Health Sector Cybersecurity Coordination Center. The group uses "spear phishing" and looks for vulnerabilities in remote monitoring and management programs, and is known for committing "double extortion," or demanding money in return for not leaking data.
Most recently, the group reportedly demanded $50 million in ransom from a U.K.-based pathology services company in a June cyberattack that impeded operations at London hospitals. That is far above Qilin's typical ransom demand in 2023 of $50,000 to $800,000, according to the HHS notice.
In the U.S, the group has targeted healthcare organizations with revenues from $6 million to $40 million in states including Indiana, Florida, Ohio, Georgia, Minnesota, Nevada, and Arizona, HHS said.
The FBI advises such mitigation efforts as reviewing for new or unrecognized user accounts, regularly backing up data offline, and making sure antivirus programs haven't been unexpectedly turned off.