One month after paying cybercriminals to prevent the public release of data stolen in a February 2024 ransomware attack, Change Healthcare is being extorted again, by a different cybercrime group.
Change Healthcare, a subsidiary of health insurance and services company UnitedHealth Group, processes billions of healthcare transactions each year, and the ransomware attack crippled the healthcare system throughout the US.
In late February, roughly one week after the incident occurred, the Alphv/BlackCat ransomware gang claimed responsibility for disrupting Change Healthcare’s operations and for stealing over 4TB of data, including personal information, payment details, insurance records, and other types of sensitive information.
A week later, the ransomware group, which had survived a law enforcement takedown attempt in December 2023, announced that the FBI raided them again and that they are closing shop for good.
The move, however, was likely an exit scam, as the BlackCat operators were unwilling to share a $22 million ransom payment that UnitedHealth Group apparently made just the day before.
Typically, in a ransomware-as-a-service (RaaS) operation such as BlackCat, 80% of the proceeds go to the affiliate responsible for the intrusion and data theft, and 20% go to the ransomware operators, who provide the malicious code, infrastructure, and are responsible for negotiating with the victims.
Now, one month after BlackCat’s exit scam, a RaaS group named RansomHub has Change Healthcare listed on its leak site, claiming to be in the possession of the 4TB of stolen data and threatening to make it public unless a ransom is paid.
The RansomHub group’s administrators told the research and threat intelligence project Vx-Underground that former BlackCat affiliates are actively joining their operation, thus explaining how they came by the Change Healthcare data.
The fact that Change Healthcare is being extorted again is not surprising. The information stolen during the February attack was in the possession of the affiliate, who did not receive what they believed they were owed, and decided to join a different group to demand another ransom payment.
Most likely, the large – and relatively fast – payment that Change Healthcare made in early March led the cybercriminals to believe that the company will most likely pay up again to keep its customers’ information from leaking publicly.
RansomHub is a new RaaS group that first emerged in February 2024, but which already made over a dozen victims. The group prohibits attacks on organizations in Cuba, China, North Korea, and CIS countries, as well as on non-profit entities.
At RansomHub, affiliates receive the payments first and get to keep 90% of the proceeds. For the Change Healthcare hacker, this addresses the distrust caused by the exit scam.
While some theorize that RansomHub could be a BlackCat rebrand, to scare Change Healthcare into paying another ransom, SOCRadar points out that the group’s leak site appeared before the exit scam, suggesting they might be a different operation that acquired former BlackCat affiliates.
Regardless of RansomHub’s origins, the fact that Change Healthcare is being extorted again serves as a reminder to all ransomware victims that they should not pay a ransom, as that would not guarantee the return or deletion of stolen data and could incentivize the attackers to extort them again.
Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers
Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency
Related: Healthcare IT Help Desk Employees Targeted in Payment-Hijacking Attacks
