TLDR: LockBit 4.0 affiliates have launched coordinated attacks against healthcare providers, exploiting unpatched VPN appliances as initial access vectors. Over 30 organizations reported incidents in the past week.
The campaign leverages known vulnerabilities in Fortinet and Cisco VPN products. Threat actors are demanding ransoms between $500K-$5M, with patient data exfiltration as additional leverage.
Indicators of Compromise:
- Initial access via CVE-2024-21762 (Fortinet)
- Cobalt Strike beacons for lateral movement
- Data exfiltration to Tor-based infrastructure