Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack.
RansomHub claimed responsibility for attacking Change Healthcare in the last few hours, saying it had 4 TB of the company’s data containing personally identifiable information (PII) belonging to active US military personnel and other patients, medical records, payment information, and more.
The miscreants are demanding a ransom payment from the healthcare IT business within 12 days or its data will be sold to the highest bidder.
“Change Healthcare and United Health you have one chance in protecting your clients data,” RansomHub said. “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.
“In the event you fail to reach a deal the data will be up for sale to the highest bidder here.”
If the criminals’ claims are true, Change Healthcare will now be mulling whether to pay during a difficult time for the company after having only just recovered from its earlier February attack.
The org is alleged to have paid a $22 million ransom to ALPHV following the incident – a claim made by researchers monitoring a known ALPHV crypto wallet and one backed up by RansomHub. However, Change Healthcare has never officially confirmed this to be the case.
If all of the claims are true, it means the embattled healthcare firm is deciding whether to pay a second ransom fee to keep its data safe.
Overkill?
The natural questions to ask in response to seeing a critical services provider being hit by two different ransomware crews is “why and how has this been allowed to happen?”
To answer the “why,” the prevailing theory among infosec watchers is that ALPHV pulled what’s known as an exit scam after Change allegedly paid its ransom.
While the ratios vary slightly between gangs, generally speaking, ransomware payments are split 80/20 – 80 percent for the affiliate that actually carried out the attack and 20 percent for the gang itself.
It’s believed that ALPHV took 100 percent of the alleged payment from Change Healthcare, leaving the affiliate responsible for the attack without a commission.
Angry and searching for what they believed they were “owed,” the affiliate is thought to have retained much of the data it stole and now switched allegiances to RansomHub in one last throw of the dice to earn themselves a payday, or so the theory goes.
If true, this would provide a clear lesson to any organization thinking about paying a ransom, as if we didn’t need another example.
An alternative theory is that ALPHV has just rebranded as RansomHub – a group security researcher SOCRadar says only spun up in February 2024, the same month ALPHV hit Change Healthcare, one of its final attacks.
There’s no hard evidence linking ALPHV to RansomHub, although it is still early days.
The two theories, both in their own way, address the “how” of the situation. Whether it was the affiliate switching sides or ALPHV re-victimizing the organization under a new moniker, the common factor in the two is that despite a ransom allegedly being paid, the data was retained by the cybercriminals.
A ransom payment negotiation is typically agreed with the belief that the attackers would delete the data once they receive a payment. These are criminals, however, so they shouldn’t ever be trusted.
The dismantling of LockBit by the UK’s National Crime Agency (NCA) et al provided the first evidence that ransomware gangs retain stolen information from victims that pay, cementing a long-held belief by security researchers.
The latest situation at Change Healthcare could be the latest in a long line of arguments against paying a ransom demand.
“The fact that Change Healthcare was seemingly targeted again, possibly by the same actors under a new alias or affiliates, highlights a significant issue in the ransomware ecosystem – the lack of ‘honor among thieves’,” Javvad Malik, lead security awareness advocate at KnowBe4, told The Register.
“While the initial payment of $22 million might have seemed like a resolution, it potentially opened the door for further extortion. It’s a stark reminder that paying a ransom not only fails to guarantee data safety or non-disclosure but might also paint the organization as a repeat target for future attacks.”
We approached Change Healthcare for comment but it didn’t immediately respond.
What happened with Change Healthcare?
UnitedHealth, parent company of Change Healthcare, disclosed a cybersecurity incident on February 22, saying at the time it didn’t expect it to materially impact its financial condition or the results of its operations.
It originally suspected nation state attackers to be behind the incident, but the ALPHV ransomware gang later claimed responsibility.
Many of its systems were taken down as a result while it assessed and worked to remediate the damage.
Hospitals and pharmacies reported severe disruption to services following the attack, with many unable to process prescriptions, payments, and medical claims. Cashflow issues also plagued many institutions, prompting the US government to intervene.
The IT biz’s data protection standards are soon to be subject to an investigation by the US healthcare industry’s data watchdog, which cited the “unprecedented magnitude of this cyberattack” in its letter to Change.