Medical firm Change Healthcare breach due to the ransomware attack has been one of the most disruptive in years, crippling pharmacies across the U.S. Change Healthcare breach has led to serious snags in the delivery of prescription drugs nationwide for 10 days and counting. Now, a dispute within the criminal underground has revealed a new development in that unfolding debacle:
One of the partners of the hackers behind the healthcare cyberattacks points out that those hackers, a group known as AlphV or BlackCat, received a $22 million transaction that looks very much like a large ransom payment. The transaction, visible on Bitcoin’s blockchain, suggests Change Healthcare who had a breach may have paid a very large ransom.
Change Healthcare ransom
On March 1, a Bitcoin address connected to AlphV received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time. Then, two days later, someone describing themselves as an affiliate of AlphV posted to the cybercriminal underground forum RAMP that AlphV had cheated them out of their share of the Change Healthcare ransom, pointing to the publicly visible $22 million transaction on Bitcoin’s blockchain as proof.
According to Dmitry Smilyanets, the researcher for security firm Recorded Future, it suggests that Change Healthcare has likely paid AlphV’s ransom.
Both Recorded Future and TRM Labs, a blockchain analysis firm, connect the Bitcoin address that received the $22 million payment to the AlphV hackers. TRM Labs says it can link the address to payments from two other AlphV victims in January.
Ransom a dangerous precedent
If Change Healthcare did pay a $22 million ransom, it would not only represent a huge payday for AlphV, but also a dangerous precedent for the healthcare industry, argues Brett Callow, a ransomware-focused researcher with security firm Emsisoft. Every ransomware payment, he says, both funds future attacks by the group responsible and suggests to other ransomware predators that they should try the same playbook—in this case, attacking health care services that patients depend on.
The self-described AlphV affiliate who first posted evidence of the payment on RAMP, and who goes by the name “notchy,” complained that AlphV had apparently collected the $22 million ransom from Change Healthcare and then kept the entire sum, rather than share the profits with their hacking partner as they had allegedly agreed. “Be careful everyone and stop deal with ALPHV,” notchy wrote.
Health care firms data access
That affiliate hacker also wrote that in their penetration of Change Healthcare’s network, they had accessed the data of numerous other health care firms partnered with the company. If that claim is accurate, it creates the additional risk that the affiliate hacker still possesses sensitive medical information. Even if Change Healthcare did pay AlphV, the hacker affiliate could still demand additional payment or leak the data independently.
Profitable score for AlphV
As ransomware payments go, $22 million would represent a remarkably profitable score for AlphV. Only a relatively small number of ransoms in the history of ransomware, such as the $40 million payment made by the financial firm CNA to the hackers known as Evil Corp, have been so large, says Emsisoft’s Callow. “It’s not without precedent, but it’s certainly very unusual,” he says.
Other AlphV healthcare cyberattacks
Regardless of whether Change Healthcare is confirmed to have paid that ransom, the attack shows that AlphV has pulled off a disturbing comeback: In December, it was the target of an FBI operation that seized its dark web sites and released decryption keys that foiled its attacks on hundreds of victims. Just two months later, it carried out the cyberattack that paralyzed Change Healthcare, triggering an outage whose effects on pharmacies and their patients have now stretched well beyond a week. As of last Tuesday, AlphV listed 28 companies on the dark web site it uses to extort its victims, not including Change Healthcare.
Growing cyberattacks threat for healthcare
That site has now gone offline. Ransomware trackers say AlphV has disappeared and rebranded several times before. Earlier incarnations under the name BlackCat, BlackMatter, and Darkside were all more or less the same group, security researchers note.
Improving cybersecurity in healthcare
This attack is just one example of the growing threat of cyberattacks on healthcare providers. What steps can be taken to improve the security of healthcare systems?
Overall, the incident underscores the need for robust cybersecurity measures and collaboration between industry stakeholders, law enforcement agencies, and cybersecurity experts to mitigate the impact of ransomware attacks and protect critical infrastructure.