top of page

Change Healthcare Falls Victim to BlackCat Ransomware, Pays $22 Million Ransom

Change Healthcare, a prominent U.S. healthcare giant, has reportedly paid a hefty $22 million ransom to the infamous BlackCat ransomware group (ALPHV) in a desperate bid to restore services following a cyberattack. The attack, which has caused significant disruptions to prescription drug services across the nation for several weeks, was analyzed by Menlo Security in-depth and highlights the growing threat of cybercrime in the healthcare sector.

The BlackCat (ALPHV) ransomware gang, notorious for its malicious activities, has reportedly shut down its servers following the ransom payment. This move is believed to be connected to allegations of the gang scamming an affiliate involved in the Optum attack out of the same $22 million ransom. A message in Russian on the Tox messaging platform used by the BlackCat operator reads, "Everything is off, we decide," signaling a potential exit scam.

The compromised data, according to reports from the Menlo Labs Threat Intelligence team, could affect nearly every American's healthcare data, including sensitive information from critical national healthcare programs such as Medicare and TRICARE. The leakage of such vast amounts of data poses a direct threat to the privacy and security of millions and has broader implications for national security.

Analysts and researchers are closely monitoring the situation, with some suggesting that this could be a classic exit scam by the BlackCat group. In such a scam, perpetrators feign operational shutdown, covertly misappropriate funds, and potentially re-emerge under a different guise. The evidence pointing towards this conclusion includes the sudden shutdown of BlackCat's servers, the allegations of scamming affiliates, and the group's history of ransomware attacks. Reegun Jayapaul, Principal Threat Hunter at Trustwave said:"Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after their hiatus. This tactic serves as a means for them to execute one final significant scam before resurfacing with less scrutiny." 

The healthcare industry is now urging the government to intervene and provide financial support to prevent hospitals, particularly rural ones, from running out of funds due to the attack's impact on payment systems. Change Healthcare's top priority remains getting its systems back online while maintaining the data required for a thorough investigation.

As the story unfolds, the actions of Notchy, the alleged affiliate scammed by BlackCat, and the potential sale of stolen data on the dark web are being closely watched. The possibility of BlackCat's internal data and intelligence being leaked as a form of retaliation, coupled with the threat of double extortion, adds another layer of complexity to an already convoluted situation.

This incident serves as a stark reminder of the importance of enhancing cybersecurity measures around critical healthcare infrastructure and data systems to protect against such attacks in the future.


bottom of page