For months, Change Healthcare has been facing a particularly nasty ransomware debacle that has left hundreds of pharmacies and healthcare providers across the country unable to process claims. Now, it may be even more chaotic thanks to the apparent conflict within the ransomware criminal ecosystem.
Last month, ransomware group AlphV claimed credit for encrypting Change Healthcare's network, threatened to leak reams of the company's sensitive medical data, and received a $22 million payout. Evidence has been published on the Bitcoin blockchain that shows that this evidence was most likely encrypted by Change Healthcare. The company gave in to the torturers' ransom demands, but has not yet confirmed whether it paid. But the new definition of worst-case ransomware: different A ransomware group claims to be in possession of Change Healthcare's stolen data and is demanding its own payment.
Since Monday, RansomHub, a relatively new ransomware group, has posted on a dark web site that it has 4 terabytes of stolen data from Change Healthcare, and if Change Healthcare doesn't pay an unspecified amount, it will sell the data to “up to threatened to sell it to a bidder. Ransom. RansomHub told WIRED it is not affiliated with AlphV and “cannot say” how much the ransom will be paid.
RansomHub initially refused to publish or provide WIRED with sample data from its stolen hoard to prove its claims. But on Friday, a representative for the group provided WIRED with several screenshots of what appeared to be patient records, along with United Healthcare, which owns Change Healthcare and the company that acquired Change Healthcare in 2014 and later changed its name. A data sharing agreement was sent to Emdeon, which had taken over the company.
Although WIRED was unable to fully corroborate RansomHub's claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than just a threat. “For those who are doubting that we have data, and for those speculating on the importance and sensitivity of the data, the image shows the scale and importance of the situation, making it seem unrealistic and childish. That should be enough to uncover a theory,” a ransomhub representative said. Email from WIRED.
Change Healthcare did not immediately respond to WIRED's request for comment on RansomHub's extortion demands.
Brett Callow, a ransomware analyst at security firm Emsisoft, said AlphV did not initially release any data about the incident and believes the origin of RansomHub's data is unknown. “Of course we don't know if the data is real or not. It could have come from somewhere else. But there's nothing to indicate it might not be real,” he said of the data shared by RansomHub. say.
John DiMaggio, chief security strategist at threat intelligence firm Analyst1, said after reviewing the information sent to WIRED, RansomHub is “telling the truth and they do have the Change Healthcare data. “I believe that,'' he said. While RansomHub is a new ransomware threat actor, it is rapidly “gaining traction,” DiMaggio said.
If RansomHub's claims are true, Change Healthcare's already devastating ransomware ordeal could serve as a lesson of sorts about the dangers of trusting ransomware groups to keep their promises even after the ransom has been paid. This means that it has become . In March, a person named “Notch” posted on a Russian cybercrime forum that AlphV embezzled that $22 million payment and that it typically works with ransomware groups to infiltrate victims' networks. “Affiliate'' posted that he disappeared without sharing the commission with the hacker. on their behalf.