With the recent revelation on Monday by rising ransomware organization RansomHub that it has 4TB of data stolen from the healthcare tech company in February, the story of the Change Healthcare hack has taken on a new turn.
An affiliate of the ALPHV/BlackCat ransomware group compromised the Change Healthcare platform, which is owned by UnitedHealth Group subsidiary Optum, in February, resulting in extensive operational disruptions and raising the possibility of the disclosure of private patient and customer data.
According to blockchain transaction records linked to ALPHV/BlackCat, Optum purportedly paid a $22 million ransom. However, the ransomware-as-a-service (RaaS) appears to have taken the money in an exit scam.
Before vanishing with the entire $22 million, the group allegedly posted a fictitious law enforcement takedown notice on their leak site. This left the affiliate who carried out the breach, known as “notchy,” with nothing.
Now, RansomHub has entered the scene, demanding money and threatening to disclose the stolen data. According to SOCRadar, this new ransomware gang first started claiming victims on its site in February 2024.
You only have one chance to protect the data of your clients, Change Healthcare and United Health. According to photos released by Dark Web Informer, the group stated in a post on its website on Monday, “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.” “The data will be for sale to the highest bidder here if you are unable to agree.”
Ken Dunham, Cyber Threat Director of Qualys Threat Research Unit, sent an email to SC Media stating that Change Healthcare’s predicament shows that ransomware payouts are a “tricky business.”
This can be explained by changes in the illicit market, dishonest behaviour on the part of unscrupulous actors, numerous compromises, or other situations. As an incident responder, it is not unusual to find two or more threats within a compromised environment in addition to the one that you initially discovered, according to Dunham. “It’s also not unusual for businesses that succumb to extortion by malicious actors, like ransomware and DDoS payouts, to turn into “soft targets,” swiftly targeted by new extortion schemes time and time again.”
The discussion between one of the group’s admins and a RansomHub admin was later shared by the malware resource-sharing group vx-underground, which revealed that “many” former ALPHV/BlackCat affiliates had joined the organization.
Additionally, Ransomfeed reported that only two victims—Change Healthcare—were cross-referenced with the 28 victims that RansomHub had put on its website about ALPHV/BlackCat victims. This lends credence to the theory that RansomHub is a new organization enlisting former affiliates rather than a rebranded ALPHV/BlackCat.
This is not surprising. In an email to SC Media, Menlo Security cybersecurity specialist Ngoc Bui said, “We had previously outlined this scenario in our blog post, foreseeing the potential for such alliances in the cybercriminal ecosystem.” “Ransomware-as-a-service (RaaS) attacks typically involve the involvement of a middleman, which adds a layer of complexity and risk.” It makes it more difficult to deal directly with threat actors and pay them using the stolen data.
For UnitedHealth to pay the ransom before the dataset is sold, RansomHub started a countdown that would end in just over 12 days.
The group states that the 4TB they were able to access contained patient personal identifying information (PII), including social security numbers, payment and claim information, medical and dental data, and PII of active U.S. military personnel. Furthermore, the organization asserts that it possesses over 3,000 source code files for Change Healthcare’s software products.
Darren Guccione, CEO and co-founder of Keeper Security, sent an email to SC Media that stated, “Healthcare providers stand to experience some of the worst consequences of cyberattacks and data breaches, as they manage immense amounts of sensitive personal and health information about staff, members, and patients.” “Although it might seem like the easiest way to stop a ransomware attack, government officials and business leaders have long advised against paying ransoms because doing so only serves to fuel the explosive growth of this criminal activity.”
Inquiring as to whether Optum will notify customers, patients, and law enforcement of the development, as well as whether it has had any communication with RansomHub and whether it could confirm or refute any previous ransom payment, SC Media contacted the company but did not hear back. As of the time of writing, March 27, was the most recent update to UnitedHealth Group’s web page regarding its Change Healthcare cyber response.
Dunham also provided the following advice to ransomware victims: “When it comes to extortion and ransomware, disaster preparedness (DR) planning must carefully consider all the implications of payout or not, to avoid the pitfalls of becoming a soft target or introducing additional risks unintentionally without considering the TTPs of bad actors, insurance coverages, regulatory and other requirements.”
“Layered SecOps and strong cyber security hygiene are the best ways to prevent breaches in the first place,” Dunham said in closing.