Early on February 21st a cyberattack began causing widespread outages at pharmacies and healthcare providers around the country. This attack targeted Change Healthcare, a subsidiary of UnitedHealth Group and one of the nation’s largest processors of prescription medications and related billing services. Change Healthcare merged with US healthcare provider Optum in 2022.
According to UnitedHealth Group:
“On Feb. 21, 2024, we discovered a threat actor gained access to one of our Change Healthcare environments. Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. Our security team, along with law enforcement and independent experts, began working to address the matter. At this time, we believe the cybersecurity issue is specific to Change Healthcare.”
In a post on its dark web leak site, ALPHV/BlackCat, a Russia-based ransomware and cyber extortion gang, took credit for this attack. UnitedHealth Group later confirmed this information in a statement:
“Change Healthcare can confirm we experienced a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”
Over the last two weeks, Change Healthcare/UnitedHealth Group has released numerous updates to clients and the general public via their website regarding recovery efforts and possible timelines for systems to come back online. More recently, updates have hinted at a shift away from direct recovery of Change Healthcare systems and toward workarounds and redirection of some services to like systems in the Optum network. As of March 5th, UnitedHealth Group is reporting that e-Prescribe services are online and actively processing transactions. They are also reporting that 90% of claims are flowing uninterrupted via certain workarounds. The overall pharmacy network that connects pharmacies and PBMs is still offline, but expected to be available as early as this Thursday.
Of interest to this ongoing saga, on Monday (3/4), news outlets and cybersecurity professionals began reporting that a possible ransomware payment was observed on the Bitcoin blockchain to the wallet of ALPHV/BlackCat. This indicated the possibility that Change Healthcare had negotiated and paid the ransom in an attempt recover systems. The ALPHV/BlackCat wallet received a payment of 350 Bitcoins, worth approximately $22 Million at the time of the transaction. When asked, UnitedHealth Group declined to comment.
Adding additional intrigue to this situation, later that same day, it appears ALPHV/BlackCat shut down its servers and negotiation sites and went dark. It is still unclear why this happened. It is possible this was some sort of exit scam in which the ransomware gang took the money and ran, or it could be an attempt to rebrand the ransomware operation under a different name. The latter is common as a mechanism to further avoid detection and throw off law enforcement pursuit. In either situation, it is quite possible a ransom was paid (more than $22 million), but no decryption keys were provided to the victim.
As rumors circulate, Brian Krebs of Krebs on Security has reported the following:
There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.
The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.
“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”
According to Krebs, Change Healthcare paid the ransom in an attempt to both gain access to the decryption key and prevent the exposure of roughly four terabytes of stolen data.
This additional reporting by Brian Krebs and others is very important because it shines a light on why paying the ransom should never be an option. The risk is extremely high and the possible rewards – decryption keys and anonymity – are far from certain. In this specific situation, Change Healthcare has potentially set a horrible precedent for other healthcare providers and large businesses who find themselves under attack. The possibility of a $22 million payday is very hard for any cybercriminal to resist, so the attacks will only grow and multiply over the next weeks and months and years.
The takeaways for all businesses and organizations are simple in light of this attack:
· Create and frequently test reliable system backup procedures. Make sure you have immutable backup data available for restoration. Make sure those restoration processes are timely and can meet the recovery objectives for your organization.
· Build a strong, modern cybersecurity defense-in-depth strategy for your organization. Deploy sound perimeter defenses, advanced malware protection, zero trust infrastructure, and strong, frequent end user awareness training. Be prepared.
· Explore cyber insurance, cyber warranties, and forensic response services for your organization. Be prepared for the worst-case scenario and ensure your incident response plan is detailed and appropriately agile.
Things are not going to get easier for organizations. The threats are real and they are active. Be ready to defend and ready to respond.
References: