More than two months into one of the most severe ransomware crises in cybersecurity history, Change Healthcare confirmed a bitter reality already evident from Bitcoin’s blockchain and security experts: it paid a ransom following a cyberattack in February. Despite this, the threat of leaking vast volumes of sensitive medical data looms large.
In late February, Change Healthcare became the target of AlphV, also known as BlackCat, a notorious cybercriminal group. The company’s recent admission followed a trail of digital breadcrumbs leading to a ransom payment on March 1st, amounting to 350 bitcoins—approximately $22 million. This transaction, visible on the blockchain and first spotted on a Russian cybercriminal forum, sparked speculation long before official confirmation.
WIRED’s investigation, supported by insights from Recorded Future and TRM Labs, traced the payment directly to AlphV’s wallet. Despite initial denials, the company eventually acknowledged the payment in a public statement, citing its commitment to safeguarding patient data as the primary motivator.
This episode adds significant tension within the cybersecurity community about the implications for the healthcare sector. “It 100 percent encourages other actors to target healthcare organizations,” remarked Jon DiMaggio from Analyst1, highlighting the undesirable focus on an already vulnerable industry.
The saga deepens with a rift among cybercriminals. A second group, RansomHub, claims possession of the stolen data, threatening its sale on the dark web. This development introduces a new layer of risk, indicating that even a hefty ransom payment does not guarantee data safety.
Change Healthcare’s response has been to warn of potential data breaches involving personal health information and other sensitive details. These warnings, however, come after the company’s considerable financial losses, totalling $872 million, with projections suggesting this figure could surpass a billion dollars.
The broader context is a ransomware economy thriving on high-stake payments. According to Chainalysis, ransomware victims paid over $1.1 billion in 2023, with Change Healthcare’s ordeal representing a notable contribution. Brett Callow, a ransomware-focused researcher, commented on the unusually high payment, emphasizing its rarity and significant impact.
The aftermath of this payment reveals a complex interplay among ransomware groups, with AlphV reportedly faking a law enforcement takedown to circumvent revenue sharing with its affiliates. This manoeuvre suggests a breach of trust within the criminal underworld, potentially leading to further misuse of the compromised data.
For Change Healthcare, the transaction has provided little solace. The ongoing risk of data exposure, coupled with the financial haemorrhage, paints a grim picture. As DiMaggio warns, the company might still face the worst-case scenario: spending millions on a ransom, only to see its data leaked, effectively “setting that money on fire.”
This cybersecurity debacle serves as a stark reminder of the persistent threats facing the healthcare industry and the complex challenges of dealing with cyber extortion. The incident not only underscores the financial and operational impacts of such attacks but also highlights the intricate dynamics of the cybercriminal ecosystem.