ALPHV/BlackCat claims responsibility for Change Healthcare attack – Source: go.theregister.com

The ALPHV/BlackCat cybercrime gang has taken credit – if that’s the word – for a ransomware infection at Change Healthcare that has disrupted thousands of pharmacies and hospitals across the US, and also claimed that the amount of sensitive data stolen and affected health-care organizations is much larger than the victims initially disclosed.

It should go without saying that these are criminals, and not the most trustworthy sources of information. Plus, ransomware crews have been known to exaggerate their claims of stolen data to increase the pressure on those hit to pay up quickly.

As Emsisoft threat analyst Brett Callow told The Register: “Cyber criminals are not a reliable source of information and ALPHV’s claims should be viewed with skepticism.”

When asked about ALPHV’s boasts of stealing more than 6TB of sensitive data, UnitedHealth Group spokesperson Tyler Mason declined to answer specific questions. “We are aware and looking into it,” Mason told The Register.

“As noted in previous statements, we continue to work closely with law enforcement and third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare systems,” Mason added.

UnitedHealth owns the healthcare IT provider, and more than 70,000 pharmacies across the USA use its software to process insurance claims and fill prescriptions. Many of these – including two of the largest US chains, CVS and Walgreens – have suffered after the February 21 intrusion.

“On February 22, 2024, we disclosed the occurrence of a cyber security incident. We continue to investigate the extent of the incident, which we believe was committed by cyber crime threat actors,” UnitedHealth revealed on Wednesday in a regulatory filing. “As of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.”

While UnitedHealth originally told US regulators that a “suspected nation-state associated cyber security threat actor” was behind the attack, on Monday reports surfaced that the perpetrator was, in fact, ALPHV/BlackCat – a financially motivated crew.

On Wednesday, the ransomware gang listed Change Healthcare on its leak site and claimed to have stolen massive amounts of data belonging to health insurers, medical providers, and pharmacies including Medicare and Tricare, CVS-CareMark, Health Net, Metlife and Teachers Health Trust.

“Anyone with some decent critical thinking will understand what damage can be done with such intimate data on the affected clients,” the criminals threatened, adding that the stolen files number in the “millions” and concern the personal data of active US military members and other patents, medical and dental records, payment information, insurance claims, and more than 3,000 source code files.

• ALPHV/BlackCat responsible for Change Healthcare cyberattack
• Cyberattack downs pharmacies across America
• Back from the dead: LockBit taunts cops, threatens to leak Trump docs
• Cybercrims: When we hit IT, they sometimes pay, but when we hit OT… jackpot

ALPHV has been linked to the Russian-speaking Darkside/Blackmatter gang, the criminal crew behind the 2021 Colonial Pipeline ransomware attack. The US government seized the gang’s websites in early December and released a decryptor tool for victims.

But, as we’ve seen with other attempts at cyber crime takedowns, ALPHV quickly restored its operations and resumed attacks on critical infrastructure targets from mid-December.

On Tuesday the FBI, US Cybersecurity and Infrastructure Security Agency and US Department of Health and Human Services warned hospitals and healthcare facilities that ALPHV is gunning for them.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the alert warned. “This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The Feds also urged the healthcare sector to take actions to mitigate risk, including routinely taking inventory of assets and data to identify unauthorized devices and software, enabling multifactor authentication, and using strong passwords.

The warning also advised hospitals to close unused network ports, remove applications that aren’t necessary for daily operations, and prioritize the remediation of known vulnerabilities that are being exploited – which you might hope they’d do already.

While it’s unknown how ALPHV gained initial access to Change Healthcare’s systems, there has been speculation that it broke in via critical ConnectWise bugs, which are said to be “embarrassingly easy” to exploit.

ALPHV, for its part, tried to put this rumor to rest in its post:

Change Healthcare issues multiple updates each day about the outage, but none of them provide a date by which the ailing biz expects to recover the affected applications.

“We have a high level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue,” the group noted earlier on Wednesday. ®