Alert sign showing cyber extortion on Change Healthcare

Second Cyber Extortion Attack on Change Healthcare Follows Rumored $22 Million Payment, May Involve Former BlackCat/ALPHV Hackers

Roughly two months after being hit with a ransomware attack from the BlackCat/ALPHV group, Nashville-based medical payment service provider Change Healthcare is dealing with another cyber extortion attempt.

The new attack appears to be the work of RansomHub, an up-and-coming group that has reportedly been onboarding former BlackCat members during an early 2024 spree. That could mean that some of the same hackers from the first incident have shared intelligence on the company, and are double-dipping on their prior cyber extortion caper.

Healthcare provider loses 4 TB of personal information in second attack

RansomHub has claimed credit for the new Change Healthcare attack. The group says that it stole 4 TB of data that includes sensitive personal information, including financial information and medical records belonging to US military personnel. As of the beginning of the week, the group had set a deadline of April 20 for the company to pay a ransom. If it does not pay the hackers have threatened to put the stolen data up for auction.

This comes after a February attack by BlackCat/ALPHV that was not confirmed and reported until early March. Change Healthcare has limited its public comments on this incident, but security researchers believe the company paid a $22 million ransom to the group in Bitcoin to keep it from exposing data. The incident was the last major caper for the group, which dissolved after a major international law enforcement action and “rugpulled” a number of its affiliates on the way out.

Enter RansomHub, which only first appeared on security researcher radar in February but has already executed a number of attacks. There has been some chatter indicating that either former BlackCat members joined the group, or that it is simply a rebrand involving the same crew. Whatever the case, the cyber extortion scheme might be run by hackers that previously broke into Change Healthcare. That in turn raises the question of whether the organization still has backdoors that the attackers can exploit, or unpatched vulnerabilities that were not addressed in the wake of the first attack.

With limited public information about the two cyber extortion incidents available, it is also not clear if the new collection of stolen information has any overlap with what was previously taken. It is entirely possible that the prior affiliate that was seemingly exit scammed by BlackCat brought the same stolen healthcare data to the new RaaS provider, possibly with the assistance of former BlackCat members that joined up.

Yossi Rachman, Director of Security Research at Semperis, provides more insight on this new group: “RansomHub is a relatively new Ransomware-as-a-service group, established sometime around Feb 2024, which operates through an affiliate model.  While claiming to include individuals from various global locations, it also states it does not allow targeting North Korea, China, Cuba and the Commonwealth of Independent States (CIS) – the latter a group of nations which were formerly part of the Soviet Union, excluding Georgia and Ukraine – two countries Russia had waged war against. To this respect it seems RansomHub is either sponsored, operated by, or working from the Russian Federation or for the benefit of Russian interests. Previous attacks by RansomHub were carried out against targets in the US, Brazil and Southeast Asia, operating in several industries not limited to healthcare.”

“The attack on Change is considered the most sophisticated attack against a healthcare organization, with millions of prescription drug orders for patients being disrupted nationwide for weeks. Proper cybersecurity measures are critical to mitigating operational risks in any modern data-driven organization. Also, enterprises are capable of fighting back and taking control of their networks, forcing ransomware gangs to move onto softer targets. Kudos to Change and their team of highly qualified professionals for their work in reducing business disruptions in what has become a multi-layered attack,” added Rachman.

Cyber extortion raises fresh questions about whether ransom demands should be paid

The prior cyber extortion attack on Change Healthcare caused serious disruptions across the country. Though the company appears to have ultimately paid the asking price, ransomware was deployed and seems to have caused havoc for business operations for at least some amount of time. The company is a particularly worrisome target due to its size; it is estimated to be involved with health care claims and policies to such a degree that about one out of every three patients in the US is potentially impacted.

The incident has also enflamed the debate about ransomware and cyber extortion payments. Most governments have opted to tacitly allow payments, acknowledging that victims often have no better way out of the situation. But this situation demonstrates that criminals will happily re-exploit a victim that remains vulnerable. When paired with the recent discovery that LockBit had been keeping stolen data that it promised victims it would delete, revealed when the UK’s National Crime Agency (NCA) picked through its seized assets, a substantial argument to the contrary emerges (particularly if the attacker does not lock up business operations with ransomware).

Change Healthcare had valid reason to pay to get out of the first attack, as the ransomware had disrupted many of its systems for an extended period. This in turn crippled the ability of many pharmacies and health care providers to process patient claims and insurance, which stopped some from getting necessary medication in some cases. Some organizations were also threatened at a basic operational level by the sustained pause in revenue and ultimately had to seek assistance from the federal government to tide them over. The second attack appears to be a matter of straightforward cyber extortion with stolen sensitive data, however, and perpetrated by threat actors already known not to keep their word.

Change Healthcare is already in a difficult situation with the first breach, facing both private lawsuits and scrutiny from the federal government. At least two dozen suits have been filed by impacted patients, with the company filing a motion to consolidate all related suits and have them heard in its home district in Tennessee. As a class action is likely to emerge due to the similarities in damages to each party, formal federal regulatory scrutiny of the company’s security standards has also been announced due to the magnitude of the incident. The new cyber extortion case will not help with either of these situations.

Victor Acin, Head of Threat Intel at Outpost24, notes that BlackCat’s brazen rugpull of its affiliates may be enough to prompt serious changes: “Ransomware groups, especially those offering RaaS, are very particular about their credibility; ultimately, the trust that victims place in these groups is key to successfully ransoming their data. No one will pay a ransom if they do not believe they will retrieve their data and recover from the attack. However, in this case, the temptation of keeping the 22 million payout was apparently big enough to jeopardize their entire operation. The remaining question was what would happen to the data belonging to the affected victim; considering it has resurfaced on RansomHub, we can infer that it was in the hands of the affiliate who was now missing around 18 million dollars and was not willing to let go of such a sum.”

Malachi Walker, Security Advisor at DomainTools, observes that certain changes in the criminal underground are already being seen by security researchers: “Our team has been following the ALPHV/BlackCat ransomware attack and the surrounding speculation behind their decision to close up shop. This new information supports a few theories that our team has suggested but no matter the case, it’s unfortunate that Change Healthcare is caught in the middle of this conflict between two rival gangs. The theory that internally, BlackCat was worried about moles within their group, is supported if information BlackCat leveraged to compromise Change Healthcare was shared with RansomHub. The theory that BlackCat rebranded to RansomHub, while not supported yet by any hard evidence, also makes sense. Even if not connected to BlackCat, RansomHub could be claiming ties to their victims to scare them into making a payment.”

“There is a vast underground economy booming around the ransomware scene today where affiliate programs recruit on hacker forums, initial access brokers sell footholds into organizational networks, and ransomware groups collaborate to share information. DNS can be powerful in combatting the threat of ransomware and in making these connections. Discovering domains associated with ransomware groups that fit inside the constraints specific to the attacks they’re likely to carry out can reveal connections between two seemingly unrelated pieces of infrastructure. We will continue to monitor the TTPs of RansomHub to see if any evidence of a connection to BlackCat reveals itself,” added Walker.