That affiliated hacker also wrote that in their penetration of Change Healthcare’s network, they gained access to the data of numerous other healthcare companies that worked with the company. If that claim is correct, Smilyanets from Recorded Future emphasizes, there is an additional risk that the connected hacker still has sensitive medical information. Even if Change Healthcare were to pay AlphV, the affiliated hacker could still demand additional payment or leak the data independently.
“The affiliates still have this data and are angry that they have not received this money,” says Smilyanets. “It’s a good lesson for everyone. You can’t trust criminals; their word is worth nothing.”
In terms of ransomware payments, $22 million would represent a remarkably profitable score for AlphV. Only a relatively small number of ransoms in the history of ransomware, such as the $40 million payment by the financial firm CNA to the hackers known as Evil Corp, have been this large, says Emsisoft’s Callow. “It’s not unprecedented, but it’s certainly very unusual,” he says.
Regardless of whether Change Healthcare is confirmed to have paid that ransom, the attack shows that AlphV has made a troubling comeback: In December, it was the target of an FBI operation that seized its dark web sites and released decryption keys that enabled the attacks foiled. about hundreds of victims. Just two months later, it carried out the cyberattack that crippled Change Healthcare, leading to an outage whose consequences for pharmacies and their patients have now lasted well over a week. As of last Tuesday, AlphV has listed 28 companies on the dark website it uses to extort its victims, not including Change Healthcare.
That site has now gone offline. As of Tuesday morning, what appeared to be a seizure order was displayed by law enforcement, but security researcher Fabian Wosar points out that the message seems to be copied from AlphV’s last takedown. The reason for the group’s disappearance – whether due to a new law enforcement operation or AlphV’s attempts to evade its own duped members – is unclear. Ransomware trackers say AlphV has disappeared and been renamed several times. Previous incarnations called BlackCat, BlackMatter and Darkside were all more or less the same group, security researchers note.
In fact, the hackers working under that Darkside moniker were responsible for the 2021 Colonial Pipeline ransomware attack, which led to the suspension of gas shipments along the US East Coast and resulted in a short-lived fuel shortage in some East Coast cities . In that case too, the victims paid the hackers’ ransom. “It was the hardest decision I’ve made,” Colonial CEO Joseph Blount later told a congressional hearing.
Now it appears that some of the same hackers have forced another company to make the same difficult decision.
Update 3/4/2024, 1:50 PM EST: Includes additional contextual details about AlphV and related ransomware attacks.
Updated 3/5/2024 10:30 AM EST to note that the AlphV dark website now displays a message that appears to be a law enforcement takedown notice.