There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.
Image: Varonis.
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.
The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.
“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”
Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.
Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.
On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.
BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.
However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.
The seizure notice now displayed on the BlackCat darknet website.
“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”
BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.
Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.
“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”
Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.
“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.
LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.
But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.
Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.
“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.
Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.
IOW BlackCat: “take ALL THE money and run.”
Is this really the end of the two most disastrous ransomware groups, or is it the lull before a major storm?
Only time will tell. However, in the meantime, please practice mindfulness and be aware. Reason: Most of the ransomware attacks happen due to phishing attacks.
Most ransomware attacks SUCCEED due to phishing attacks. They HAPPEN because Moscow needs the money.
Great article Brian. It would be good to see a follow up reference any relation to the recent Connect Wise On Premise Screen Connect authentication vulnerability. We are aware of customers in healthcare who were directly impacted and while ConnectWise and Change have denied any relationship, the timing is suspicious.
Ain’t advanced technology great? Yup, we’ve come s long ways. Baby!
The only way to end this continuing ransomware debacle is to make it absolutely illegal to ever make a ransom payment for any reason whatsoever, including the threat of death.
That has always been my argument. If illegal to pay ransomware, then there is no direct financial motive anymore. I suppose a third-party organization could offer a bounty to entice bad actors to try to successfully take down a company, but at least the company itself doesn’t suffer more by paying ransomware. You’ll still get the handful of hacktivists and disrupters who do it for political or societal reasons–or just some kid who does it because they can–but making it illegal would greatly decrease a group’s willingness to launch a cyberattack for very little compensation.
Also, the attacked company should be held responsible for not securing their data and leaking our information. In the end, the clientele are the true victims.
A lot of assumptions in this statement. Even the most protected/secured business is not going to be immune to a compromise from ever occurring. All businesses generally employ humans still. As long as this dependence upon humans remains then a compromise is possible.
What you are proposing is akin to punishing a rape victim.
Yes, humans are vulnerable, but taking out the incentive is a giant step. If Companies will focus on a robust backup and restoration program, there will be no need to reward criminals.
Disagree, Change Health is NOT the victim, the patients and healthcare providers are. United Healthcare repeatedly cuts corners when it comes to protection of protected health information, not shocking they’d do the same with their Clearinghouse systems. At the end of the day, they don’t want to pay claims for medically necessary services. This has quite honestly benefitted them while 200 of my patients face delays for medications and my colleagues and I don’t get reimbursed for services.
Has there been any response from United Healthcare?
Yeah! Put the victims in jail! American way.
There’s no guarantees that works out as advertised.
Paying a ransom is not the act of being victimized.
That’s a decision to go along with a scam.
The alternative is having a proper backup regime.
It’s not just about a proper back-up regime, as you put it. Ransomware isn’t just the encryption of data, it’s also about the release of sensitive information. That said, they are not going along with the scam, they are trying to mitigate the risk to their business and clients. If it were just as simple as a back-up, that would be different.
“not just about a proper back-up regime” … you are right here, BUT;
“they are trying to mitigate the risk” … your are completely wrong here.
They should be mitigating the risk BEFORE any intrusion, not AFTER. By then, ANY action taken is just a band-aid strategy not addressing the ROOT cause. If C Suite have the resources to pay a ransom, then they bloody well should have invested that on a comprehensive harm reduction strategy way BEFORE, not AFTER the fact. Executives should be held accountable for these decisions, because continually financing criminals just emboldens them and hand delivers them the resources to dramatically upscale their operations. We don’t pay kidnap ransoms, why pay data ransoms?
Exactly. Relying on trust in criminals (who have already exploited your security, possibly all the way) to just “forget” your client data / secrets / security vulns ongoing… why, because you paid the ransom demanded? How simplistic. The data is in their hands and now you made them millions richer by believing international criminal groups live by some code of thieves and they won’t maximize their haul every single time. It’s a second fail, not realized protection of client data. Even if one in 10 may honor the deal, the data could resurface at any point down the road with yet another demand, and why wouldn’t it?
It’s not just about a proper back-up regime, as you put it. Ransomware isn’t just the encryption of data, it’s also about the release of sensitive information. That said, they are not going along with the scam, they are trying to mitigate the risk to their business and clients. If it were just as simple as a back-up, that would be different.
If live customer deets in plaintext are accessible to the malware,
that is a _further_ fail. You’re right, a backup won’t solve that.
But paying ransom just as obviously is no guarantee of mitigation
of that threat either, companies are choosing to give into demands.
The point of compromise was initial infection. Paying is a choice.
You say you cooperate with hijackers in the best interests of xyz,
investors/clients/etc, but that’s a gamble in an unreliable casino,
after you’ve already lost their data and failed the game.
That some mere 20% of these (ceiling) are being reported should
make it plain enough that neither trusting companies to report nor
mitigate internally via payments to criminal groups is effective nor wise,
and if they’re not reporting that critical PII lives in a security void
where the victims are not even aware that they’ve been compromised.
If you make it illegal to pay ransom, then people who are extorted will stop disclosing their attacks to the FBI.
So make a law mandating disclosure of x attacks, audit accordingly.
Make them include that in quarterly reports. Or else fines.
The parent company, United Healthcare, needs sanctioned hard. Besides heavy fines they should be banned from doing any government business for ten years and forced to handover its existing business to the Feds for redistribution. Until the Feds hit companies in their pocketbooks nothing will change b
Oh yes, l et the feds redistribute it. I don’t see any harm in that. How many feds do you know that became million/billionaires after leaving civil service jobs? Look at Obama who is now a billionaire. How about Biden? How about many of the senators, congressman that are supposedly only making roughly $53k a year. Please….. The government are the biggest crooks. WE should go back to carbon copies and recycled paper. Old Fashioned fax machines. The world is so much faster now, but also so much more dangerous.
GOD HELP US ALL
@Frank Making bitcoin illegal would have the same effect, and might be much easier.
I disagree. The Treasury Dept./Biden administration, could de facto make it illegal to pay a ransom by simply listing and doxing everything they know about every known ransomware group. And then just list every new group that comes online. No need to pass new laws. Granted, they would probably need orders of magnitude more resources than they have now to do that. But it could be done.
It’s not different from laws on the books saying corporations can’t bribe foreign officials. Companies still get caught doing this and the fines are huge, and may include criminal charges. A lot of people argue though that outlawing payment to ransomware groups will unfairly advantage small companies unable to absorb a (maybe) $50M fine for paying. But you don’t hear them making the same argument about not being able to bribe people.
Anyway, in most cases, they are paying people in a country that is already heavily sanctioned by the United States, if not specifically by OFAC.
Why would anyone make it illegal? Then the victim loses twice?! Sounds like the American way! This strategy would promote cybercriminals to attack more because they would be getting away with it. This is just like saying, citizens with guns to protect themselves from criminals should give up their guns because of the crimes committed with guns. The criminal is always going to be a criminal! The only defence is paying the ransom.
No way to say that the attacks would continue (or as you conjecture increase) – if the profit motive is removed there is no reason to attack.
It’s the American way– where criminals have more rights and protection than the actual victims. Look at all the comments here. How is c Suite folks supposed to bw on the hook for their idiot customers and workers from pressing that phishing scam email? One comment I do like–blow them up with drones or whatever. Shoukd put all out effort to take these groups out.
The C suite are responsible for managing the company’s risk, this includes cyber risk. If they don’t have appropriate mitigating factors in place, and ensure their staff are appropriately trained to use them, then they deserve to be personally responsible.
“The only defense is paying the ransom.” No. The only defense, currently, is to have the correct controls in place to be as best defended against this as possible. That includes a comprehensive backup regime, disaster recovery planning and practice, employee training to recognize threats, etc.
You’re right, that’s most of it.
“A lot of people argue [that]…”
People, or the big companies (who could more easily afford to invest in better cybersecurity)?
We need to just start blowing these idiots up with drones
Second that. No mercy for scammers and those like these groups is the only way.
Drones is the wrong way, too messy and leads to international repercussions. There is a better way. Think more the movie “Munich”… But lets not kid ourselves. A lot of times these individuals are “protected” because of their state connections, and you have to pinpoint them in the first place. Good luck!
I thought contracts were one of the benefits of crypto currency, you could create a rule on the wallet that when X is inserted, y % of x is transfered to another wallet.
Most likely such a contract would be set up by the person receiving the funds, not the affiliate. Therefore the affiliate couldn’t trust it.
Besides, they could just give the victim a different address.
The point of a smart contract is that there is no need to « trust it » as anyone can read it on the blockchain.
If an affiliate manages to compromise an organization in order to deploy a ransomware, the affiliate can easily find the wallet address given to the organization by the ransomware.
As long as there is a disparity in the standard of living between societies globally, cyber risk will NEVER disappear. It’s human nature to want what others have and you have not. Burying your head in the sand and pretending it doesn’t exist or will just magically stop, upon ransom payment, is delusional and requires a reality check.
That $22 million could have gone a long way towards increased defensive security systems, staff and internal education, but no, for C-Suite it’s all about risk management. Oh, and we’re insured of course. Mmm, that aged well didn’t it? Might have to fork out again. Who can we blame now?
I can’t understand why government, shareholder/investors and the general public who are the ultimate victims in these events, are not holding executives accountable for the catastrophic decisions they make.
Do you hear that? … Crickets!
There is no accountability in business or politics (both being government), only profits and fines. The people no longer have any expectation of good in the world. We are all just waiting to die these days.
It shows once again how much money health insurance companies have in the U.S. and how cavalier they are about it and about our data.
How is the word “credibility” even feasible when the subject is a “ransomware group?” This story reads like ransomware is a public service and rhe feds are the bad guys.
What a mess, no wonder there’s NIST 2.0 to add govern.
Do we actually have the scenario right? What a great double scam this would be if the FBI actually did seize BlackCat and was doing a Iran-Contra style operation… We know that human greed motivates many actions. However, if you’re an enterprise like BlackCat, you won’t have affiliates if you don’t pay, and without affiliates, how do you develop an income stream? An exit scam based on greed is a valid scenario, but in the long term if they plan on staying in business it probably shoots them in the foot. These actors over the years haven’t seemed stupid, so…
What?! There truly is no honor amongst thieves!?!?!
I am shocked! Shocked, I say!
I’m also rolling on the floor laughing…
Wouldn’t Nubeva’s “Ransomware Reversal” technology obviate all these ransomware headaches? I don’t understand why more companies don’t use it. Can Mr. Krebs explain any drawbacks that I’m missing? Thanks!
As I noted in an earlier post above, these threats will NEVER disappear.
Ransomware has existed since the late 80’s, however widespread attacks really took off with the emergence of cryptocurrencies in the 2010’s and even then it was generally spray and pray attempts that usually failed against corporate infrastructure and only caught the little fish. AV and security vendors upped their game, whilst security consultants got wise and advocated solid backup regimes ie; online, offline and off-premise was the mantra. Get infected? Fine. Wipe drive and reinstall last known working backup. Lose at most 24 hrs or less data. No major problem. Back up and running in within 24hrs. Pay no ransom. Sorted.
Threat actors have evolved and now avoid low hanging fruit by targeting specific victims with bigger wallets and more to lose if infected and therefore more incentive to pay. Their tactics now are way more advanced. They now implement a double extortion strategy performed by different affiliates within the threat chain group. One affiliate will write the ransomware code itself. Another will penetrate and gain access credentials. Yet another will perform reconnaissance and exfiltrate sensitive data. And lastly someone will activate the ransomware and negotiate payment. If you get encrypted and revert to backups, they will just extort you for the destruction of your stolen data. And every affiliate will put their hand out for a slice of the cake.
Good security teams already use a multi layered approach to defend their systems, utilizing a vast array of hard and soft techniques in their play book, that would be highly dependent on the entities specific needs. Having said, that a lot of security people see Nubeva’s product as just an alternative to backup and disaster recovery. If ransomware is in your systems, why bother decrypting, just revert to a clean backup. It is only a band-aid strategy that doesn’t address the root cause, that is, a solid line of defence and education. Better to invest in security awareness and create a culture of trust within your organisation. Humans are always the weakest link.
“Put the AI in charge of security.”
8:02 AM, Los Angeles.
Considering thousands of sick people on maintenance drugs are now at risk of death, attempted murder, and murder charges should be coming soon.
How does any company not notice four terabytes of its mission critical data being stolen?
Can’t say I am surprised. Too bad the statement the ransomware was for greed and not to make a statement. I own a healthcare provider business. Insurance companies are the worse. They make companies like mine jump through hoops to be paid for services provided, even though the care was authorized. They change rates without notice. It’s a stupid game they play with people’s lives
What?! There truly is no honor amongst thieves!?
Do we actually have the scenario right
Is there any information on what was the root-cause in the Change Health attack vector? Any write-ups? There were some unverified claims made on relatiohship to the ConnectWise vulnerability – but I have not seen it substantiated. Insights?
They are still restoring services. I’m not aware of any such details. And I doubt the company or the people they hired will know (or say) for some time yet, if at all.
It seems to be part of the problem. No?
I wonder how this will be taken in the ransomware as a service cybercrime world where it has paid well over the last few years of brand messaging that “if you pay you’ll be provided with the decryption keys and we’ll quietly move on.”
They collect their bitcoin, pay generously to their malicious insider, and later they or a partner circle back to target the same victim again for a second payday before they can get their act together.
Blackcat has not only stabbed their partner/client in the back and left them potentially holding a bag of stolen data but has damaged the (you hate to say it) business model of ransomware as a service. Other bad-actor groups may not appreciate that. You don’t throw rocks in the fishing hole; it scares the fish.
One of the forgotten or overlooked victims of this cyber attack are small, independent medical practices. How are we to survive on the remaining trickle of income?
One of the overlooked or forgotten victims of this latest cyber attack are the small, independent medical practices. The UnitedHealtcare/Optum “emergency funds” are miserably small – $250.00. Really???!!!! How are we to survive financially on a thin trickle of our normal revenue?
These supposed disagreements between “Notchy” and BlackCat ALPHV are going to resurface as Cyber insurance and other insurance claims and coverage disputes proceed into future arbitration and litigation. The chaos has just begun!