New warnings from the American Hospital Association and the Cybersecurity and Infrastructure Security Agency detail a shift in tactics by Play, a ransomware group that uses a double-layered extortion model to encrypt systems and steal sensitive data.
The AHA is calling on its members and other healthcare organizations to protect care delivery operations and patient information by patching specific vulnerabilities outlined in the updated joint cybersecurity advisory and enabling multi-factor authentication.
WHY IT MATTERS
Play, also called PlayCrypt, uses unique hashes for each deployment, complicating anti-malware and anti-virus program detection of the ransomware, according to the U.S. Department of Justice and Cybersecurity and Infrastructure Security Agency and its counterparts in Australia.
Healthcare cybersecurity teams should be aware of the changes, according to Scott Gee, AHA deputy national advisor for cybersecurity and risk.
“Play ransomware was among the most active cyberthreat groups in 2024,” he said in a statement.
The Play ransomware group gains network access by abusing valid accounts, potentially through external-facing services like Remote Desktop Protocol and virtual private networks and then exploits public-facing applications, according to the advisory.
“Enable multi-factor authentication for all services to the extent possible, particularly for webmail, VPN and accounts that access critical systems,” said U.S. and Australian authorities said.
Play’s threat actors have used known exploited vulnerabilities in FortiOS and Microsoft Exchange, but the updated advisory adds CVE-2024-57727 – a KEV in the remote monitoring and management tool SimpleHelp – to the must-do now list.
Since SimpleHelp’s RMM disclosure in January, Play affiliates are using it to perform conduct remote code execution at many U.S.-based entities.
Of note, while the group has contacted victims by telephone in the past to threaten release of stolen sensitive data, victims are also now receiving unique @gmx.de or @web[.]de emails demanding ransom.
THE LARGER TREND
Play was the fifth most active ransomware group hitting critical sectors last year, according to the FBI’s 2024 Internet Crime Report.
The Internet Crime Complaint Center received 4,800 complaints from the critical infrastructure sector affected by a cyber threat last year. Of these, healthcare organizations reported 444 incidents, AHA said in a May statement.
Of IC3’s reported healthcare attacks, ransomware accounted for 238 threats and data breach incidents, 206.
While CISA and the other agencies do not specifically call out the healthcare sector in the updated Play Ransomware advisory, AHA has long encouraged its members to take critical security actions and heed certain federal cross-sector warnings that encourage known threats to systems that lack MFA or two-factor authentication.
Lawmakers have urged the U.S. Department of Health and Human Services to impose cyber hygiene mandates, including MFA requirements. An explicit MFA mandate could ultimately appear in a proposed HIPAA update, which is expected to be finalized this year.
ON THE RECORD
“As threat actors shift tactics, it is critical that network defenders keep pace,” Gee said in a statement. “The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of healthcare.”
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
