A Februrary attack on Change Healthcare was enough of a national disruption to prompt federal government action, and now the company is dealing with a second cyber extortion attempt that may involve some of the perpetrators from the first.
Security analysts are speculating that new ransomware gang RansomHub is either a rebrand of BlackCat/ALPHV, which was behind the first Change Healthcare attack, or has onboarded a number of its former members. The second possibility seems more likely at this point as RansomHub was already in operation prior to the BlackCat dissolution. It is thus possible that a prior planted backdoor was used for this new attack, or information about a vulnerability that the company has not shored up.
Cyber extortion attempt follows February ransomware payment
Change Healthcare is one of the largest payment processors in the US for health insurance claims and related matters. The downtime from the February ransomware attack was thus devastating and prompted federal involvement, causing numerous people all over the country to experience delays in getting needed medication that their insurance pays for.
The new cyber extortion attempt does not involve ransomware, but does involve a 4 TB haul of stolen data that includes medical records and billing information for individual patients. It is unclear if this is a fresh theft or recycling of the prior stolen data, possibly brought along to RansomHub by former BlackCat members.
Without ransomware involved, the new cyber extortion scheme should not cause outages and downtime in the health insurance industry. But if the company does not enter payment negotiations by April 20, RansomHub has threatened to sell off the stolen data to the highest bidder. Given what happened recently with LockBit (which was found to be sitting on data it had previously promised to delete after law enforcement went through its seized assets), there is a good chance this will happen eventually anyway.
Change Healthcare facing federal review, patient lawsuits over prior breach
Little is still confirmed about the first Change Healthcare attack. The company has not admitted to making a payment, but security researchers have high confidence that it happened between chatter on dark web forums (particularly the scammed affiliate that conducted the attack leaving angry forum messages for BlackCat) and movement between Bitcoin wallets after the incident.
With researchers having to speculate, it’s impossible to say if the company is still vulnerable and if prior BlackCat members or a prior affiliate brought that knowledge with them to RansomHub. Change Healthcare is slated to undergo a federal review of its security posture and practices due to the widespread damage caused by the incident, but that looks to be too little too late in terms of preventing follow-on damage.
RansomHub first appeared in February of this year and is still not well-documented, but is believed to be based in Russia due to a statement to affiliates outlining countries it will not conduct operations in (Russia and nations friendly to it, essentially). It also issued a moratorium on attacking “non-profit” organizations, though this goodwill apparently does not extend to disrupting patient care.