RansomHub Has Change Healthcare Data – BlackCat/ALPHV Rebrand?


April 15, 2024

World map

RansomHub, a new threat actor on the cybercrime scene, is claiming to be in possession of data stolen from Change Healthcare, a major player in US healthcare payment processing.

This comes after allegations that Change Healthcare paid a $22 million ransom to the BlackCat/ALPHV ransomware gang based on a significant Bitcoin transaction.

“A $22 million ransom payment allegedly made by Optum, which is supported by blockchain transaction records associated with ALPHV/BlackCat, was apparently stolen by the ransomware-as-a-service (RaaS) in an exit scam,” SC Media reports.

“The group reportedly published a fake law enforcement takedown notice on their leak site before disappearing with the full $22 million, leaving the affiliate who performed the breach, known as ‘notchy,’ empty-handed.”

Wired says members of RansomHub sent the magazine proof they have the Change Healthcare data, including “samples of patient records and a contract that appear to have been taken from Change Healthcare.”

Takeaway: The incident underscores the risks associated with paying ransoms to cybercriminals. While it might appear as a quick solution, it often exacerbates the problem by fueling further attacks and enriching criminal enterprises.  

Moreover, there's no guarantee that paying the ransom will result in the recovery of data or prevent future attacks. Ransomware operations function akin to legitimate businesses, with sophisticated structures and services, making them formidable adversaries.

Furthermore, paying a ransom demand does not address the root cause of the attack, which is the vulnerabilities in the victim's systems that make them susceptible to ransomware attacks.  

Paying a ransom demand does nothing to evict the attackers from the victim’s environment, so the likelihood that they will be extorted again is high.  

And even if the attackers honor the ransom agreement, the network is still vulnerable to attacks from other ransomware operators.

This situation also highlights the fact that ransomware groups are extremely difficult to track, as there is growing consensus that there has been a series of rebrands for the same threat actors: DarkSide > BlackMatter > BlackCat/ALPHV > RansomHub.

It also calls into question the effectiveness of law enforcement takedown actions. For example, BlackCat/ALPHV hit Change Healthcare months after law enforcement takedown attempt, and LockBit attacked Trans-Northern Pipelines, Prudential Financial, and LoanDepot after takedown attempt.

Organizations should focus on implementing both preventative and operational resilience measures to protect their network from future incidents and assure the organization is ready to respond effectively to a ransomware attack. By taking these measures, organizations can reduce the potential impact of a ransomware attack.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.