November 23, 2024

hit again — Change Healthcare faces another ransomware threatand it looks credible Hackers already received a $22 million payment. Now a second group demands money.

Andy Greenberg and Matt Burgess, WIRED.com – Apr 13, 2024 6:25 pm UTC EnlargeiStock / Getty Images Plus reader comments 88

For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.

In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcares network and threatened to leak reams of the companys sensitive health care data, received a $22 million paymentevidence, publicly captured on bitcoins blockchain, that Change Healthcare had very likely caved to its tormentors ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a different ransomware group claims to be holding Change Healthcares stolen data and is demanding a payment of their own.

Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcares stolen data, which it threatened to sell to the highest bidder if Change Healthcare didnt pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and cant say how much its demanding as a ransom payment.

RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name. Advertisement

While WIRED could not fully confirm RansomHubs claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories, the RansomHub contact tells WIRED in an email.

Change Healthcare didnt immediately respond to WIREDs request for comment on RansomHubs extortion demand.

Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHubs data is unclear. I obviously don’t know whether the data is realit could have been pulled from elsewherebut nor do I see anything that indicates it may not be authentic, he says of the data shared by RansomHub.

Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is telling the truth and does have Change HealthCares data, after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly gaining momentum.

If RansomHubs claims are real, it will mean that Change Healthcares already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name notchy posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the affiliate hackers who typically partner with ransomware groups and often penetrate victims networks on their behalf. Page: 1 2 Next → reader comments 88 WIRED Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars