For months, Change Healthcare faced an extremely chaotic, months-long ransomware debacle that left hundreds of pharmacies and medical practices across the U.S. unable to process claims. Now, with apparent controversy within the ransomware criminal ecosystem, things could get even messier.
Last month, ransomware group AlphV received a $22 million payment after claiming to have encrypted Change Healthcare’s network and threatening to leak a large amount of the company’s sensitive healthcare data – publicly captured on the Bitcoin blockchain Evidence suggests that Change Healthcare may have succumbed to the perpetrators’ ransom demands, but the company has yet to confirm that the ransom was paid. But in a new definition of worst-case ransomware, different The ransomware group claims to be in possession of Change Healthcare’s stolen data and is demanding payment.
Since Monday, relatively new ransomware group RansomHub has posted on its dark website that it is in possession of 4 terabytes of Change Healthcare’s stolen data and is threatening to take it away if Change Healthcare doesn’t pay an unspecified fee. Sold to “highest bidder”. ransom. RansomHub told Wired it has no relationship with AlphV and “cannot disclose” how much ransom it is demanding.
RansomHub initially refused to publish or provide Wired with any sample data from this stolen treasure trove to prove its claims. But on Friday, a representative of the organization sent Wired several screenshots of what appeared to be patient records, as well as United Healthcare and Emdeon’s data-sharing contract. United Healthcare owns Change Healthcare, which Emdeon acquired in 2014 and later changed its name to Emdeon.
While WIRED couldn’t fully confirm RansomHub’s claims, the samples suggest the second extortion attempt against Change Healthcare may have been more than an empty threat. A contact at RansomHub said: “For anyone who doubts whether we have the data, and anyone who speculates on the importance and sensitivity of the data, these images should be enough to show the gravity and importance of the situation and clarify the impracticality and naivety of the situation theory,” Wired said in an email.
Change Healthcare did not immediately respond to WIRED’s request for comment on the RansomHub ransom demands.
Brett Callow, a ransomware analyst at security firm Emsisoft, said he believed AlphV did not initially release any data from the incident and that the source of the RansomHub data was unclear. “I obviously don’t know if the data is real — it could have been taken from somewhere else — but I also haven’t seen anything that suggests it might not be real,” he said of the data shared by RansomHub.
Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, said that after reviewing the information sent to WIRED, he believes RansomHub “is telling the truth and does have Change HealthCare’s data”. DiMaggio said that while RansomHub is a new ransomware threat actor, they are quickly “gathering momentum.”
If RansomHub’s claims are true, it would mean that Change Healthcare’s already disastrous ransomware ordeal has become a cautionary tale about the dangers of trusting ransomware groups to deliver on their promises, even after a ransom is paid. In March, an individual named “notchy” posted on a Russian cybercrime forum that AlphV had pocketed $22 million in payments and then disappeared without sharing commissions with “affiliated” hackers. , these hackers often work with ransomware groups, often infiltrating victims’ networks on their behalf.