The hackers behind one of the most disruptive health care cyberattacks in U.S. history recently received a payment of $22 million, and experts say this suggests the victims may have just paid the gang an enormous ransom.
Health care providers and pharmacies across the nation were left unable to process prescriptions, leaving patients unable to get needed medications after Change Healthcare's payment exchange platform went down with the Feb. 21 cyberattack.
In a now-deleted post on the dark web Wednesday, notorious ransomware group AlphV/BlackCat said it was behind the attack, and Change, which is operated by UnitedHealth Group's subsidiary Optum, confirmed this the following day.
Then on Friday, a Bitcoin address belonging to AlphV hackers received a single transaction payment of 350 bitcoins, which is worth nearly $22 million, according to WIRED and blockchain analysis group TRM Labs. TRM Labs also confirmed the same address can be linked to payments from two other AlphV victims in January.
Two days later, an AlphV affiliate posted to the underground cybercriminal platform RAMP saying the ransomware group cheated them out of their share of the ransom Change paid to "prevent data leakage and decryption key," according to a screenshot from Dmitry Smilyanets, a researcher for security firm Recorded Future.
#ALPHV scamming affiliates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) March 4, 2024
Groups like AlphV often use affiliates to do the actual hacking with its ransomware and then give the affiliates some of the payouts. But the affiliate said AlphV "kept lying and delaying" their payment until the group finally "emptied the wallet and took all the money."
"Sadly for the target Change Healthcare - OPTUM, their data [is] still with us," the affiliate's post said, per the screenshot.
A United Healthcare spokesperson declined to answer questions from multiple publications on whether it paid a ransom to AlphV, only saying it was, "focused on the investigation right now." But if it did pay the ransom, the affiliate's alleged post suggests "4TB of the critical data" that Change was worried would leak is still under the hackers' control, potentially lending to additional payments if Change wants to prevent a possible leak.
Plus, a ransomware researcher told WIRED that the possible ransom payment sets a dangerous precedent for the increasingly cyberattacked healthcare industry by way of either funding future attacks or suggesting to other hackers that the same plan of action could work for them.
Cybersecurity incident impacting nation's pharmacies
Pharmacies are reporting issues with billing insurance to fill prescriptions.
AlphV/BlackCat is the world's second-most prolific ransomware-as-a-service variant based on the hundreds of millions of dollars in ransoms paid by its victims, the Justice Department said in December. That's when an FBI operation was thought to have crippled the gang by seizing several of its websites and tools, but two months later, it made this attack on Change.
Acting as a pipeline between health care and insurance providers, Change operates 15 billion medical transactions each year, representing more than $1.5 trillion in health care claims, its website states. The Justice Department also says the company manages half of all medical insurance claims in the country.
In claiming responsibility for the attack, AlphV/BlackCat said it accessed 6TB of data used in these claims, including payment and insurance information and medical records. However, the affiliate noted it has 4TB of data from Change and its partners like Medicare, CVS-CareMark, MetLife, Health Net and more.
Beyond patients' security, the attack continues to leave many dependent on Change for financial services scrambling to fill prescriptions, process claims, bill patients, verify insurance coverage, pay employees, refill hospital medication, supply inventories and more.
While it's still unclear when Change's systems will be brought back online, Senate Majority Leader Chuck Schumer (D-NY) called on the Centers for Medicare & Medicaid Services Monday to provide relief to health care providers who are unable to be paid or process claims to ensure patient care can continue to be "top-notch."
"We can't let hackers risk the financial stability of health care providers and even critical care to patients across America. CMS must act now to help our hospitals," Schumer said.