AvosLocker Claims Credit for Christus Health Ransomware Attack

The Irving, TX-based nonprofit health system, Christus Health, which operates more than 600 healthcare facilities in Texas, Arkansas, Louisiana, and New Mexico, has announced it has recently identified suspicious activity in its computer systems and blocked an attempted cyberattack. The prompt action taken by the Christus IT team severely limited the scope of the attack and prevented the incident from impacting its patient care and clinical operations. Christus Health said it is working with third-party cybersecurity experts to investigate and determine the extent of the security breach.

A relatively new ransomware threat group called AvosLocker has claimed credit for the attack. AvosLocker operates under the ransomware-as-a-service (RaaS) model and was first identified in July 2021. The threat group engages in double extortion tactics and is known to exfiltrate data prior to file encryption, then threatens to auction the stolen data if the ransom is not paid.

The number of attacks conducted by Avosocker has been steadily growing, with data from Trend Micro indicating at least 30 attacks were conducted in January 2022, and 37 in February. The gang is known to exploit unpatched vulnerabilities to gain access to victim networks and is reported to use compromised RDP and VPN credentials. The location of the RaaS operation is not known, but it is probable that they are based in Russia or a Post-Soviet state since the group does not permit attacks in those countries. In March 2022, a joint cybersecurity advisory was issued by the FBI and the Department of the Treasury which provided Indicators of Compromise associated with AvosLocker.

Avoslocker has been targeting critical infrastructure entities in the United States, including healthcare organizations. One of the most recent victims was McKenzie Health System in Michigan, which was attacked by the gang in March 2022. The protected health information of 25,318 patients was potentially stolen in that attack, a sample of which was allegedly uploaded to the AvosLocker dark web leak site.

AvosLocker has uploaded a sample of data to its dark web leak site which was allegedly stolen in the attack on Christus Health. At this stage, the extent to which patient data has been affected has not been determined.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.