US Healthcare Giant Change Healthcare Pays $22 Million Extortion Payment to Ransomware Group BlackCat
Image: Varonis.
Introduction
There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV”) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.
Background
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.
Extortion Payment and Betrayal
On March 1, a cryptocurrency address associated with BlackCat received a single transaction worth approximately $22 million. Following this, a BlackCat affiliate posted a complaint stating that Change Healthcare had paid a $22 million ransom for a decryption key and to prevent the publication of four terabytes of stolen data. However, the affiliate claimed that BlackCat cheated them out of their share of the ransom, and they still possess Change Healthcare’s sensitive data, putting the company in a vulnerable position.
Change Healthcare’s Response
Change Healthcare has neither confirmed nor denied making the payment, but the company has responded to media outlets stating that it is primarily focused on its investigation and the restoration of services.
Potential Impact and Consequences
If Change Healthcare did pay the ransom, their strategy seems to have backfired. The stolen data reportedly includes sensitive information from major insurance and pharmacy networks, including Medicare. The actions of the affiliate and the subsequent shutdown of BlackCat could have serious repercussions for Change Healthcare’s reputation and the security of the information they hold.
BlackCat’s Demise and the Potential Threat
BlackCat, a ransomware-as-a-service collective, was infiltrated by the FBI and foreign law enforcement partners in late December 2023. The government seizure of the BlackCat website and the release of a decryption tool dealt a major blow to the group. However, the group attempted to re-form and increase affiliate commissions to 90 percent. Eventually, they announced that their operations were fully closing down and that their ransomware source code had been sold to a buyer.
Cybercriminal Trust and Reliability
The events related to BlackCat and LockBit, another ransomware group, emphasize the lack of trust and reliability within the cybercriminal network. Affiliates and victims cannot rely on criminals to fulfill their promises, and this should serve as a warning to companies and individuals alike.
Conclusion
The saga of Change Healthcare’s ransomware attack and the subsequent payment highlights the high stakes and risks associated with cyber extortion. Companies must prioritize proactive cybersecurity measures to protect themselves and their clients, as paying the ransom does not guarantee the safe return or destruction of stolen data.
