For months, Change Healthcare has been dealing with an immensely complicated, months-long ransomware debacle that has left hundreds of pharmacies and doctors’ offices across the United States unable to process claims. Now, thanks to an apparent dispute within the criminal ransomware ecosystem, it may have become even more complicated.
Last month, the AlphV ransomware group, which had taken credit for encrypting Change Healthcare’s network and threatened to leak a large amount of the company’s sensitive healthcare data, was paid $22 million: evidence , captured publicly on the Bitcoin blockchain, that Change Healthcare had most likely given in to its tormentors’ ransom demand, although the company has yet to confirm that it paid. But in a new worst-case definition of ransomware, a different The ransomware group claims to be in possession of the stolen Change Healthcare data and demands payment of its own.
Since Monday, RansomHub, a relatively new ransomware group, has posted on its dark website that it has 4 terabytes of data stolen from Change Healthcare, which it threatened to sell to the “highest bidder” if Change Healthcare did not pay an unspecified amount. rescue. RansomHub tells WIRED that it is not affiliated with AlphV and that it “cannot say” how much it is demanding in ransom payment.
RansomHub initially declined to publish or provide WIRED with sample data from that stolen treasure to prove its claim. But on Friday, a representative of the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and then took his name.
While WIRED was unable to fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone who doubts that we have the data, and for anyone speculating about the criticality and sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clarify childish and unrealistic theories” , says the RansomHub contact. WIRED in an email.
Change Healthcare did not immediately respond to WIRED’s request for comment on RansomHub’s extortion lawsuit.
Brett Callow, a ransomware analyst at security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident and that the origin of the RansomHub data is unclear. “Obviously I don’t know if the data is real (it could have been pulled from somewhere else), but I also don’t see anything that indicates it’s not authentic,” he says of the data shared by RansomHub.
Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and has the data from Change HealthCare,” after reviewing the information submitted to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”
If RansomHub’s claims are real, it will mean that the already catastrophic Change Healthcare ransomware experience has become something of a warning about the dangers of trusting ransomware groups to keep their promises, even after paying the ransom. In March, someone calling himself “notchy” posted on a Russian cybercriminal forum that AlphV had pocketed that $22 million payout and disappeared without sharing a commission with “affiliated” hackers typically associated with ransomware groups. and often penetrate victims’ networks. On your part.