RansomHub Threatens to Extort Change Healthcare


April 8, 2024

World map

In early March, researchers suggested that a $22 million Bitcoin blockchain transaction was evidence that Change Healthcare paid a ransom to the BlackCat/ALPHV ransomware gang after what has been described as the largest healthcare payment processor in the US.

BlackCat/ALPHV was then accused of pulling an exit scam to defraud their affiliates of their portion of the purported $22 million ransom take. Now threat actor RansomHub is claiming to be in possession of exfiltrated Change Healthcare data and is attempting to further extort the company.

RansomHub is a relatively new operation that claims to be a team of attackers from around the world, and it is unclear whether the group has any direct connection to BlackCat/ALPHV or how they may have come into possession of the data. It is also possible that they are not in possession of the stolen data and are simply trying to cash in on the previous attack.

Takeaway: While paying the ransom may seem like a quick fix, it may not be the best solution for businesses and individuals. Paying the ransom only supports the criminal activities of cybercriminals, leading to an increase in ransomware attacks.  

Additionally, paying the ransom does not guarantee that the victim's data will be restored. There have been instances where victims have paid the ransom, but the cybercriminals did not provide the decryption key or provided a faulty one, leaving the victim without their data and their money.  

Also, even if the victim's data is restored, paying the ransom may result in further attacks. Cybercriminals may see the victim as an easy target and continue to target them with future attacks.  

Finally, paying the ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, victims should focus on implementing preventative measures to protect their data from future attacks.

Ransomware is a business model, and a very lucrative one at that. Ransomware-as-a-Service (RaaS) platforms are more or less run like legitimate Software-as-a-Service (SaaS) companies, with R&D, departments, tech and negotiation support, and more.

It’s obvious that putting trust in known criminals is risky. Research has shown that companies who pay ransomware attackers for a decryption key often don’t get all their data back, or data is corrupted, or the attackers still leak/sell stolen data, or that the company is soon attacked again and often by the same attackers.

The debate on whether to pay ransomware demands or not is a contentious issue among experts, but each organization must take into consideration their own specific situation when making the decision.  

While some advocate for paying the ransom, others argue that it only encourages cybercriminals to continue their attacks. Paying the ransom may also not guarantee the restoration of the victim's data and may lead to further attacks.  

Instead, victims should focus on implementing both preventative and organizational resilience measures to protect their data from future attacks and assure the organization is ready to respond effectively to a ransomware attack. By taking these measures, organizations can reduce the potential impact of a ransomware attack.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.