This week, the Department of Health and Human Services Health (HHS) Sector Cybersecurity Coordination Center (HC3) released an alert on Everest, a ransomware-as-a-service group that is increasingly targeting the healthcare field. Compromised user accounts and remote access tools are a known way for the group to gain access to systems.
The threat alert stated that Everest has been active since 2020 and claimed responsibility for a recent incident impacting a surgical facility in the United States.
“Everest appears to have morphed into what is known as an ‘initial access broker,’ meaning their role in the underground Russian ransomware economy is to facilitate ransomware attacks by initially gaining unauthorized access to a victim organization through such means as credential theft. They then sell the unauthorized access to other gangs, who conduct the ransomware attack,” John Riggi, American Hospital Association (AHA) national advisor for cybersecurity and risk, warned in a statement.
“It is recommended that healthcare organizations set network monitoring tools to alert for Cobalt Strike activations,” Riggi advised in a statement.
