Change Healthcare is allegedly facing a second ransomware attack by RansomHub.. According to Nick Tausek, Lead Security Automation Architect at Swimlane, the details about this attack are: “Change Healthcare, a subsidiary of UnitedHealth, is allegedly facing its second ransomware attack in 2024. A February attack perpetrated by the ALPHV/BlackCat threat actors resulted in significantly disrupted healthcare operations across the county.”
UnitedHealth, parent company of ransomware-hit Change Healthcare, have indicated that the total costs of tending to the February 2024 cyberattack currently stands at $872 million, according to The Register.
It is also established that the RansomHub threat group claimed responsibility for the recent attack and demanded a payment within twelve days.
What does this attack mean for the healthcare and pharmacy sector? How vulnerable are these industries?
Providing insight for Digital Journal is Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.
Costis begins by looking at the attack threshold context, noting: “RansomHub has been increasingly active throughout March and April. The admin of RansomHub has recently confirmed that previous ALPHV/BlackCat affiliates have been actively joining RansomHub. The uptick in activity of RansomHub, and the inactivity of ALPHV/BlackCat also confirms this.”
It is important that firms try to avoid paying out in such circumstances. According to Costis: “Making a ransomware payment may further enable cybercriminals to profit and advance their operations and campaigns, and may further incentivize future attacks.”
In terms of the attack specifics, Costis reveals: 2Although we don’t know the details behind it yet, it’s quite possible that the original ALPHV/BlackCat affiliate had access to the data from Change Healthcare. As ALPHV/BlackCat performed an exit scam, the affiliate is likely attempting to reclaim their ransom payment.”
Continuing with the narrative, Costis says: “Just when Change HealthCare thought they had settled up with the payment they made in February, they are now in a similar position once more. The data stolen includes sensitive data such as medical records, payment information, claims information, patients’ PII, insurance records, source code files, active US military and navy personnel PII, and much more. It also includes partners of Change HealthCare. This serves as a reminder that making a ransomware payment doesn’t guarantee closure.”