ALPHV/BlackCat responsible for Change Healthcare cyberattack – Source: go.theregister.com

The ALPHV/BlackCat ransomware gang is reportedly responsible for the massive Change Healthcare cyberattack that has disrupted pharmacies across the US since last week.

According to Reuters, citing “two people familiar with the matters,” the notorious ransomware-as-a-service operation was behind the UnitedHealth owned business’ attack. The Register has not independently confirmed that ALPHV was involved in the intrusion.

Change Healthcare provides a wide range of IT services for medical facilities, including software that lets pharmacies check patients’ eligibility for medications and determine insurance coverage. Its customers include two of the largest US pharmacies – CVS and Walgreens – both of which have felt the ill effects of the outage. The health tech biz first disclosed the breach on February 21, and pulled the plugs on some of its IT systems as a result.

On Friday, the American Pharmacists Association said dispensaries across the country could not transmit insurance claims because of the cyberattack. 

“This is resulting in delays in getting prescriptions filled,” according to a statement on the group’s website. “As of Friday afternoon, the situation was still not resolved and pharmacies across the nation are reporting significant backlogs of prescriptions they are unable to process.”

UnitedHealth, in a filing with the US Securities and Exchange Commission, last week blamed a “suspected nation-state associated cyber security threat actor” for the network intrusion.

Neither UnitedHealth nor Change Healthcare immediately responded to The Register‘s inquiries about ALPHV’s reported involvement in the attack. 

• Cyberattack downs pharmacies across America
• ALPHV gang claims it’s the attacker that broke into Prudential Financial, LoanDepot
• ALPHV blackmails Canadian pipeline after ‘stealing 190GB of vital info’
• FBI develops decryptor for BlackCat ransomware, seizes gang’s website

In a Monday update, Change Healthcare said things aren’t getting much better.

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” according to the incident report. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect.”

ALPHV has been linked to the Russian-speaking Darkside/Blackmatter gang responsible for the 2021 Colonial Pipeline ransomware attack, and has been ramping up its attacks on critical infrastructure targets since the Feds made a failed takedown attempt in December.

Earlier this month the criminal crew allegedly broke into Canada’s Trans-Northern Pipelines and claimed to have stolen around 190GB of data. This followed three other alleged intrusions into energy providers in the US, Canada and Spain. It also took credit for the attacks on both Prudential Financial and LoanDepot.

The US government has since offered bounties up to $15 million for information leading to the identification or location of ALPHV leadership members and/or their arrests. ®