New warnings have emerged from the American Hospital Association and the Cybersecurity and Infrastructure Security Agency regarding a change in tactics by the Play ransomware group. This group employs a double-layered extortion model, encrypting systems and stealing sensitive data in the process.
The AHA is urging healthcare organizations to take action to safeguard their care delivery operations and patient information. They recommend patching specific vulnerabilities outlined in the updated joint cybersecurity advisory and implementing multi-factor authentication to enhance security measures.
Play, also known as PlayCrypt, has been noted for using unique hashes for each deployment, making it challenging for anti-malware and anti-virus programs to detect the ransomware. The group gains access to networks by exploiting valid accounts, potentially through external-facing services like Remote Desktop Protocol and virtual private networks, before targeting public-facing applications.
Healthcare cybersecurity teams are advised to stay informed about these changes. Scott Gee, AHA deputy national advisor for cybersecurity and risk, emphasized the importance of addressing the Play ransomware threat, citing the group as one of the most active cyberthreat groups in 2024.
The Play ransomware group has been known to exploit vulnerabilities in FortiOS and Microsoft Exchange. The updated advisory now includes CVE-2024-57727, a vulnerability in the remote monitoring and management tool SimpleHelp, as a critical issue that organizations should address promptly. Since the disclosure of SimpleHelp’s RMM vulnerability earlier this year, Play affiliates have been leveraging it to execute remote code at various U.S.-based entities.
In addition to targeting known vulnerabilities, Play has started using unique email addresses to demand ransom from victims, signaling a shift in their tactics. This underscores the evolving nature of ransomware threats and the need for healthcare organizations to remain vigilant in their cybersecurity efforts.
While the Play ransomware advisory does not explicitly mention the healthcare sector, the AHA highlights the significant impact of cyberthreats on healthcare organizations. Ransomware attacks and data breaches have been prevalent in the healthcare sector, with healthcare organizations reporting a substantial number of incidents in the past year.
To address these threats, lawmakers have called for enhanced cybersecurity measures, including mandatory multi-factor authentication requirements. Such measures could be integrated into proposed updates to HIPAA regulations, underscoring the importance of proactive cybersecurity measures in safeguarding sensitive healthcare data.
In response to these evolving threats, Scott Gee emphasized the importance of healthcare organizations keeping pace with threat actors’ changing tactics. The encryption of systems and theft of data pose significant risks to hospitals and the delivery of healthcare services, underscoring the critical need for robust cybersecurity measures in the healthcare sector.
Andrea Fox, senior editor of Healthcare IT News, can be reached via email at afox@himss.org. Healthcare IT News is a publication of HIMSS Media, providing valuable insights and updates on the evolving landscape of healthcare technology and cybersecurity.
This new article provides a comprehensive overview of the latest developments in the Play ransomware threat and underscores the critical importance of cybersecurity measures in protecting healthcare organizations from cyber threats.
