Change Healthcare Ransomware Fallout: The $22 Million Affiliate Scam…

The U.S. healthcare giant, Change Healthcare, has reportedly made a $22 million ransom payment to the notorious BlackCat ransomware group (ALPHV). This payment comes as the company grapples with efforts to restore services following a cyberattack that has caused widespread disruptions to prescription drug services across the nation for several weeks. Since then, the BlackCat (ALPHV) ransomware gang has shut down its servers, reportedly after allegedly scamming an affiliate involved in the Optum attack out of $22 million. The Tox messaging platform, used by the BlackCat ransomware operator, now displays a message in Russian: “Все выключено, решаем,” meaning “Everything is off, we decide.” This move may be connected to claims made by an individual identifying themselves as a long-time ALPHV/BlackCat affiliate involved in the Optum attack. They allege that ALPHV suspended their affiliate account and fled with a $22 million ransom, supposedly paid by Optum for the Change Healthcare attack.

The Timeline of the Change Healthcare Cyberattack

Initial Compromise and Data Leakage

Reports from the Menlo Labs Threat Intelligence team suggest Change Healthcare’s operations could affect the healthcare data of nearly every American. This is concerning given the vast amount of data involved – around 4TB of US citizens’ data is reportedly held by a swindled ex-affiliate of ALPHV/BlackCat. The compromised information encompasses a wide array of personal and medical details, notably including data from critical national healthcare programs such as Medicare and TRICARE. The leakage of such sensitive data not only poses a direct threat to the privacy and security of millions of beneficiaries, but also has broader implications for national security. Given the extensive and detailed nature of the information potentially accessed, this incident underscores the vital importance of enhancing cybersecurity measures around critical healthcare infrastructure and data systems.

The Ransom Payment and BlackCat’s Exit Strategy

While it’s reasonable to assume their significant influence across the American healthcare landscape, claims of their total control over all Americans’ healthcare data should be approached cautiously without solid evidence. Additionally, as of February 28th, 2024, Change Healthcare was still listed on the site. The situation surrounding Change Healthcare has seen a significant shift, with the emerging BlackCat ransomware group scandal and suggestions of involvement by Chinese state-sponsored entities. However, these allegations of Chinese state-sponsored associations lack validation, and we are closely monitoring developments. While it’s plausible that the purported BlackCat affiliate is associated with a Chinese nation-state operation, arriving at a definitive conclusion necessitates substantial evidence from credible sources.

Analyst Commentary and Evidence

Notchy’s Allegations and the Exit Scam Theory

Analyst comment: some of our HUMINT sources with direct contact to Notchy says it’s high probability that Notchy is associated with China Nation-State groups. Many analysts in the community have commented on the unfolding story, suggesting, ‘This appears to be a classic exit scam’. In such a scam, perpetrators feign operational shutdown, covertly misappropriate their collaborators’ funds, and potentially re-emerge under a different guise. Our analysis aligns with this perspective, leading us to consider an exit scam is a highly probable explanation. Below, we present the evidence that underpins our conclusion, alongside potential implications for stakeholders and the broader cybersecurity ecosystem.

Dark Web Forums and Notchy’s Emergence

Analyst Comment: Please be advised that the following analysis was conducted in a secure environment, employing industry-standard methodologies for data collection. Information had to be redacted and/or removed due to its sensitivity. We may be able to provide more information in a TLP Red environment. In light of numerous researchers referencing the above photo, we conducted a thorough analysis of discussions on Ramp—a dark web forum known for its entry barrier, either a $500 USD fee or admin approval—to glean insights into this thread. Below, we outline key takeaways from the forum discussions, emphasizing the parts that shed light on the evolving situation. On March 03, 2024, at 03:43 PM UTC, a forum user identified as ‘notchy’ initiated a thread claiming to be the affiliate responsible for the ransomware attack on Change Healthcare. According to Notchy’ despite the company’s alleged payment of the ransom, they have not received their promised compensation.

Implications and Future Outlook

Cybersecurity Measures and Healthcare Infrastructure

The Change Healthcare ransomware incident serves as a stark reminder of the critical need for robust cybersecurity measures in the healthcare sector. The leakage of such a vast amount of sensitive data highlights the potential for significant harm to both individuals and national security. As such, it is imperative for healthcare providers, insurers, and other stakeholders to prioritize cybersecurity and invest in measures to protect against such attacks. This includes implementing strong encryption, regular security audits, and employee training programs to ensure awareness of potential threats.

The Rise of Ransomware as a Service and the Exit Scam Phenomenon

The Change Healthcare incident is also a testament to the growing trend of ransomware-as-a-service (RaaS) and the associated exit scam phenomenon. As ransomware groups become more sophisticated and professionalize their operations, they are increasingly likely to employ tactics such as exit scams to misappropriate funds and evade detection. This trend poses significant challenges for both victims and law enforcement, who must adapt their strategies to counter these evolving threats. Additionally, the involvement of alleged Chinese state-sponsored entities adds another layer of complexity to the situation, raising questions about the broader geopolitical implications of cybercrime.

Conclusion

The Change Healthcare ransomware incident is a stark reminder of the ongoing cybersecurity challenges faced by the healthcare sector. The leakage of sensitive data, the alleged ransom payment, and the subsequent exit scam tactics employed by the BlackCat ransomware group highlight the need for robust cybersecurity measures and a proactive approach to countering evolving threats. As the situation continues to unfold, it is crucial for stakeholders to stay informed and adapt their strategies to ensure the protection of both individuals and critical infrastructure.

FAQ

What is the Change Healthcare ransomware incident?

The Change Healthcare ransomware incident refers to a cyberattack on the U.S. healthcare giant, Change Healthcare, which resulted in the leakage of sensitive data and a reported ransom payment to the BlackCat ransomware group (ALPHV).

How much data was compromised in the Change Healthcare ransomware incident?

Reports suggest that around 4TB of US citizens’ data was compromised in the Change Healthcare ransomware incident.

What is the exit scam phenomenon in the context of ransomware?

The exit scam phenomenon refers to a tactic employed by ransomware groups, where they feign operational shutdown, covertly misappropriate their collaborators’ funds, and potentially re-emerge under a different guise. This tactic is becoming increasingly common as ransomware groups professionalize their operations.

What are the implications of the Change Healthcare ransomware incident for cybersecurity?

The Change Healthcare ransomware incident highlights the critical need for robust cybersecurity measures in the healthcare sector. It underscores the potential for significant harm to both individuals and national security, and serves as a reminder of the ongoing challenges posed by evolving cyber threats.

What can be done to prevent similar incidents in the future?

To prevent similar incidents in the future, healthcare providers, insurers, and other stakeholders should prioritize cybersecurity and invest in measures such as strong encryption, regular security audits, and employee training programs. Additionally, a proactive approach to countering evolving threats is essential to ensure the protection of both individuals and critical infrastructure.