Connect with us

Hi, what are you looking for?



US Offering $10 Million Reward for Information on Change Healthcare Hackers

The US is offering a reward of up to $10 million for information on BlackCat ransomware affiliates that targeted US critical infrastructure.

The US Department of State on Wednesday announced a reward of up to $10 million for information on Alphv/BlackCat ransomware operators and affiliates.

Active since 2021, the ransomware group has made over 1,000 victims worldwide, including MGM Resorts, NCR, Reddit, Swissport, and Western Digital.

The group is also responsible for the disruptive attack on Change Healthcare in February, which  impacted over 100 applications at the healthcare transactions processor, preventing over 7,000 pharmacies and hospitals from processing prescriptions.

In December 2023, US law enforcement took down BlackCat’s infrastructure after gaining access to panels the group was using for communication, and announced in February that it was offering a $10 million reward for information on the cybergang’s key members.

In response to the takedown, the group announced it was lifting all restrictions imposed on affiliates, allowing them to target any type of organization. Change Healthcare is the first major organization in the healthcare sector to have been compromised by BlackCat.

On Wednesday, the US reiterated its reward offer, noting that the group conducted “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”, and that it was also looking for information on affiliates.

“The Alphv BlackCat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide. Alphv BlackCat operated as a ransomware-as-a-service business model in which the group’s members developed and maintained the ransomware variant and then recruited affiliates to deploy the ransomware. Alphv BlackCat and its affiliates then shared any paid ransoms,” the Treasury Department says.

“We encourage anyone with information on Alphv BlackCat actors, their affiliates, activities, or links to a foreign government to contact Rewards for Justice via the Tor-based tips-reporting channel [requires the Tor browser],” the announcement reads.

Advertisement. Scroll to continue reading.

While the announcement does not mention Change Healthcare, the mentioning of BlackCat affiliates hints that the offer was renewed as a result of this incident.

The attack was perpetrated by an affiliate who claimed to have exfiltrated terabytes of data from the organization. While Change Healthcare reportedly paid a $22 million ransom to recover the data, the BlackCat operators pulled an exit scam, refusing to pay the typical share of the proceeds, prompting the affiliate to make new threats regarding the leak of the allegedly stolen data.

In the meantime, UnitedHealth, Change Healthcare’s parent company, announced that it has restored most of its systems and services, including the claims network, and that several cybersecurity companies helped it with securing its network, hunting for malicious activity, hardening defenses, and testing the re-deployed systems for security issues.

Related: US Offers $10M Reward for Information on Hive Ransomware Leaders

Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency

Related: Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.