Change Healthcare Attack: BlackCat/ALPHV Wallet is $22 Million Fatter


March 5, 2024

World map

Researchers suggest that a $22 million Bitcoin blockchain transaction is potentially evidence that the BlackCat/ALPHV ransomware gang may have hit a big payday in their ongoing attack against Change Healthcare, the largest healthcare payment processor in the US.

American Hospital Association CEO Rick Pollack described the attack, which has disrupted the distribution of prescription drugs nationwide for more than a week, as “the most serious incident of its kind leveled against a U.S. health care organization.”  

“On March 1, a Bitcoin address connected to ALPHV received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time. Then, two days later, someone describing themselves as an affiliate of ALPHV—one of the hackers who work with the group to penetrate victim networks—posted to the cybercriminal underground forum RAMP that ALPHV had cheated them out of their share of the Change Healthcare ransom, pointing to the publicly visible $22 million transaction on Bitcoin's blockchain as proof,” Wired Magazine reports.

“You can see the number of coins that landed there. You don’t see that kind of transaction so often. There’s proof of a large amount landing in the ALPHV-controlled Bitcoin wallet. And this affiliate connects this address to the attack on Change Healthcare. So it’s likely that the victim paid the ransom,” researcher Dmitry Smilyanets explained.

A spokesperson for Change Healthcare did not comment directly in whether the company paid a ransom demand, stating “we are focused on the investigation right now.”

Takeaway: Ransomware is a business model, and a very lucrative one at that. Every time a ransomware operator receives a ransomware payment, they are emboldened to attack again.

The recommendation from law enforcement and other experts is that organizations should never pay a ransom demand, which would logically diminish the financial incentives for these attacks.

But is this a “one size fits all” approach? The debate over whether to ban ransom payments altogether rages on.  

“While it may be within the risk appetite for an entertainment company like MGM to refuse a ransom demand despite downtime costing the organization revenue, the decision not to pay a ransom likely will not put any lives at risk,” Jon Miller, co-founder and CEO of anti-ransomware platform Halcyon, told ComputerWeekly.

“But what about a healthcare provider like Change Health who urgently requires access to systems because any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is significantly more complicated.”

Experts continue to be divided on whether organizations should pay ransomware demands. It’s argued that the quickest and quickest way to restore operations is to pay the attackers for a decryption key, while those who support a ransom ban argue that doing so only increases the likelihood of continued their attacks – sometime against the same victim by the same attacker.

Paying a ransom demand is itself risky, as it does not guarantee that the victim’s systems will be restored. There have been instances where victims have paid the ransom, but the attackers did not provide the decryption key, or the data was corrupted in the decryption process.

“Ransomware attacks against the healthcare system are increasingly impacting organization's ability to care for patients, and some studies have already found a direct link between ransomware attacks and increased patient mortality,” said Miller.

One study found that 68% said ransomware attacks resulted in a disruption to patient care, and 43% said data exfiltration during the attack also negatively impacted patient care with 46% noting increased mortality rates, and 38% noting more complications in medical procedures following an attack,” he added.

So, it’s clear that ransomware attacks on healthcare providers are contributing to negative patient outcomes, so the takeaway would seem to be that healthcare providers should pay ransom demands.

But on the other hand, every time an attacker gets paid, they are more likely to attack again, which could put more lives at risk.

At some point, a definitive decision needs to be made as to whether the payment of ransom demands should remain an option for victims, and that decision needs to take all of these factors into consideration.

Ransomware attacks targeting healthcare providers put lives at risk, and attackers are keen to leverage the risk to human life to create a sense of urgency that works in their favor in forcing a victim organization to pay a hefty ransom demand.

Healthcare providers are in a terrible position in having to consider not only the financial implications of whether or not to succumb to a ransom demand, but also whether those decision will result in negative patient outcomes, or possibly even increased patient mortality.

When the health and wellbeing of so many are at stake, it's more than disconcerting that the only response the US government is capable of mounting in response to the attack is to remove some payment processing red tape.

Ransomware attacks of this nature targeting critical infrastructure providers like the healthcare sector demand a more definitive response than this, there is just too much at stake.

At the end of the day, the debate over ransom payments does not address the root cause of the problem, which is the vulnerability of the victim's systems to attacks.

“If we can prevent these attacks from being successful, the ransom payment debate becomes moot,” Miller noted. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.