ALPHV/BlackCat threatens to leak data stolen in Change Healthcare cyberattack

The ALPHV/BlackCat ransomware group has claimed responsibility for the cyberattack that targeted Optum, a subsidiary of UnitedHealth Group (UHG), causing disruption to its Change Healthcare platform and affecting pharmacy transactions across the US.

ALPHV/BlackCat is back

Last December, US law enforcement successfully shut down the ransomware group’s websites, and the FBI developed a decryption tool. Despite this setback, the group quickly recovered and resumed its activities.

On Wednesday, the group published a statement on their leak site, claiming that they stole 6TB of Change Healthcare’s sensitive data, including:

• Personally identifiable information (PII) belonging to US military/navy personnel
• Medical records
• Dental records
• Payments information
• Claims information
• Patients’ PII including phone numbers, addresses, Social Security numbers, emails, etc.
• 3000+ source code files for Change Healthcare solutions
• Insurance records, and more.

They have also listed affected Change Healthcare’s partners, claiming to have their sensitive data as well.

Optum has updated its security notice yesterday, stating that they are still working on restoring the impacted Change Healthcare systems, and assuring that Optum, UnitedHealthcare and UHG systems have not been affected.

Healthcare organizations should be on the lookout

On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) have published a joint cybersecurity advisory about the ALPHV/BlackCat group, noting their recent special focus on targeting US healthcare organizations.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the agencies said, and speculated that it’s a consequence of ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after the December 2023 takedown.

In the security advisory, the agencies have outlined the latest TTPs of the group.

To gain initial access, ALPHV/BlackCat affiliates use social engineering techniques and open source research to obtain user credentials. They then deploy remote access software such as AnyDesk, Mega sync, and Splashtop to prepare for data exfiltration, and additional legitimate remote access and tunneling tools for further access.

After moving the victims’ data on their Mega.nz or Dropbox accounts, they proceed to deploy the ransomware and encrypt the data.

“ALPHV/BlackCat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with ‘vulnerability reports’ and ‘security recommendations’ detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment,” the agencies noted.

FBI, CISA, and HHS have provided indicators of compromise (IoCs) and urge organizations to implement recommendations to minimize the possibility of falling victim to a ransomware attack launched by ALPHV/BlackCat or its affiliates.

UPDATE (March 5, 2024, 07:05 a.m. ET):

As some US healthcare providers struggle to keep afloat due to the disruption of Change Healthcare’s systems after the recent attack, the infamous ransomware-as-a-service operator has received a $22 million payment (in Bitcoin) and is apparently refusing to share part of it with the affiliate that executed the attack.

Optus/Change Healthcare has declined to say anything to deny or confim the payment claims.

In related news, cybersecurity analyst Dominic Alvieri pointed out that the new ALPHV BlackCat leak site – created after the December 2023 takedown of ALPHV/BlackCat’s websites by US law enforcement – now also sports a notice saying it had been seized by the FBI.

UPDATE (March 6, 2024, 05:45 a.m. ET):

According to Fabian Wosar, head of ransomware research at Emsisoft, the new takedown notice has been put there by the ransomware group.

“I also reached out to contacts at Europol and the NCA, and neither of them had any idea what I was even talking about and declined any sort of involvement. So again, this is a poor attempt by ALPHV/BlackCat to hide their exit scam. Don’t fall for it,” he said.