Connect with us

Hi, what are you looking for?



Second Ransomware Group Extorting Change Healthcare

RansomHub is extorting Change Healthcare, threatening to release data stolen in a February 2024 BlackCat ransomware attack.

One month after paying cybercriminals to prevent the public release of data stolen in a February 2024 ransomware attack, Change Healthcare is being extorted again, by a different cybercrime group.

Change Healthcare, a subsidiary of health insurance and services company UnitedHealth Group, processes billions of healthcare transactions each year, and the ransomware attack crippled the healthcare system throughout the US.

In late February, roughly one week after the incident occurred, the Alphv/BlackCat ransomware gang claimed responsibility for disrupting Change Healthcare’s operations and for stealing over 4TB of data, including personal information, payment details, insurance records, and other types of sensitive information.

A week later, the ransomware group, which had survived a law enforcement takedown attempt in December 2023, announced that the FBI raided them again and that they are closing shop for good.

The move, however, was likely an exit scam, as the BlackCat operators were unwilling to share a $22 million ransom payment that UnitedHealth Group apparently made just the day before.

Typically, in a ransomware-as-a-service (RaaS) operation such as BlackCat, 80% of the proceeds go to the affiliate responsible for the intrusion and data theft, and 20% go to the ransomware operators, who provide the malicious code, infrastructure, and are responsible for negotiating with the victims.

Now, one month after BlackCat’s exit scam, a RaaS group named RansomHub has Change Healthcare listed on its leak site, claiming to be in the possession of the 4TB of stolen data and threatening to make it public unless a ransom is paid.

The RansomHub group’s administrators told the research and threat intelligence project Vx-Underground that former BlackCat affiliates are actively joining their operation, thus explaining how they came by the Change Healthcare data.

Advertisement. Scroll to continue reading.

The fact that Change Healthcare is being extorted again is not surprising. The information stolen during the February attack was in the possession of the affiliate, who did not receive what they believed they were owed, and decided to join a different group to demand another ransom payment.

Most likely, the large – and relatively fast – payment that Change Healthcare made in early March led the cybercriminals to believe that the company will most likely pay up again to keep its customers’ information from leaking publicly.

RansomHub is a new RaaS group that first emerged in February 2024, but which already made over a dozen victims. The group prohibits attacks on organizations in Cuba, China, North Korea, and CIS countries, as well as on non-profit entities.

At RansomHub, affiliates receive the payments first and get to keep 90% of the proceeds. For the Change Healthcare hacker, this addresses the distrust caused by the exit scam.

While some theorize that RansomHub could be a BlackCat rebrand, to scare Change Healthcare into paying another ransom, SOCRadar points out that the group’s leak site appeared before the exit scam, suggesting they might be a different operation that acquired former BlackCat affiliates.

Regardless of RansomHub’s origins, the fact that Change Healthcare is being extorted again serves as a reminder to all ransomware victims that they should not pay a ransom, as that would not guarantee the return or deletion of stolen data and could incentivize the attackers to extort them again.

Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers

Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency

Related: Healthcare IT Help Desk Employees Targeted in Payment-Hijacking Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.