Change Healthcare faces another ransomware threat—and it looks credible

Change Healthcare has suffered a months-long ransomware crisis that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, due to an apparent controversy within the ransomware criminal ecosystem, it could get even messier.

Last month, the ransomware group AlphaV, which took credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment — publicly traded in Bitcoin. Captured on Blockchain, Change Healthcare very likely succumbed to the ransom demands of its tormentors, although the company has not yet confirmed whether it paid. But in a new definition of worst-case ransomware, a apart The ransomware group claims it has stolen data from Change Healthcare and is demanding its payment.

As of Monday, RansomHub, a relatively new ransomware group, posted on its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it has sold to the “highest bidder” if Change Healthcare does not make an unspecified payment. “Threatened to sell. Ransom. RansomHub told WIRED that it is not affiliated with AlphV and “cannot say” the amount of money it is demanding as ransom payment.

RansomHub initially declined to publish or provide WIRED with any sample data from that stolen repository to back up its claim. But on Friday, a representative for the group sent WIRED several screenshots of patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Amdon, which acquired Change Healthcare in 2014 and later owned it. Took the name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. The RansomHub contact states, “For anyone doubting that we have the data, and for anyone estimating the seriousness and sensitivity of the data, the images are meant to show the magnitude and importance of the situation and to illustrate unrealistic and childish theories. There should be enough.” Wired into an email.

Change Healthcare did not immediately respond to WIRED’s request for comment on RansomHub’s extortion demand.

Brett Callow, a ransomware analyst at security firm Emsisoft, says he believes AlphaVe did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. Regarding the data shared by RansomHub, he says, “I obviously don’t know whether the data is genuine or not – it could be pulled from somewhere else – but nor do I see anything that indicates that.” It can’t be authentic.”

John DiMaggio, chief security strategist at threat intelligence firm Analyst1, says that after reviewing information sent to WIRED he believes RansomHub is “telling the truth and has the data from Change Healthcare”. While RansomHub is a new ransomware threat actor, DiMaggio says, they are rapidly “gaining momentum.”

If RansomHub’s claims are genuine, it would mean that Change Healthcare’s already disastrous ransomware ordeal has become a cautionary tale of sorts, with the onus on ransomware groups to keep their promises even after paying the ransom. The dangers of trusting others have been explained. In March, someone going by the name “Notchi” posted on a Russian cybercriminal forum that Alfevi had pocketed the $22 million payment and disappeared without sharing the commission with “affiliated” hackers, Who usually partner with ransomware groups and often penetrate victims’ networks. From their side.

Leave a Reply

Your email address will not be published. Required fields are marked *