April 9, 2024 at 07:54AM
After paying cybercriminals to prevent the release of stolen data from a ransomware attack, Change Healthcare is being extorted again by a different group, RansomHub. This comes after a previous incident involving the BlackCat ransomware gang. The repeated extortion highlights the risk of paying ransoms and the prevalence of cyber threats in the healthcare sector.
From the meeting notes, it appears that Change Healthcare, a subsidiary of UnitedHealth Group, has been targeted in a ransomware attack. The attack, carried out by the BlackCat ransomware gang, resulted in the theft of over 4TB of sensitive data, including personal information, payment details, and insurance records.
Following BlackCat’s exit scam, a new Ransomware-as-a-Service (RaaS) group named RansomHub has emerged, claiming to possess the stolen data from the previous attack and threatening to publicize it unless a ransom is paid. This development is not surprising, as it is believed that the affiliate responsible for the original breach, not receiving their anticipated share of the ransom, has joined RansomHub to demand another payment from Change Healthcare.
The large ransom payment made by Change Healthcare in early March is likely encouraging the cybercriminals to believe that the company will pay again to prevent the release of its customers’ information. RansomHub operates differently from BlackCat, with affiliates receiving 90% of the proceeds, possibly addressing the distrust caused by BlackCat’s exit scam.
The origin of RansomHub is uncertain, with theories suggesting it could be a rebrand of BlackCat aimed at pressuring Change Healthcare for another ransom. However, it is noted that RansomHub’s appearance predates BlackCat’s exit scam, suggesting that it may be a different operation that acquired former BlackCat affiliates.
Despite the ongoing extortion, it is emphasized that paying a ransom does not guarantee the return or deletion of stolen data and could incentivize attackers to extort the victim again. This situation serves as a reminder to all ransomware victims not to pay ransoms.
In addition, it is mentioned that the U.S. government is offering a $10 million reward for information on the Change Healthcare hackers. It is also highlighted that the medical sector is frequently targeted by cyberattacks, and even healthcare IT help desk employees have been subjected to payment-hijacking attacks.
Overall, the meeting notes illustrate the serious nature of the ransomware attack on Change Healthcare, the emergence of a new threat in the form of RansomHub, and the warnings regarding paying ransoms in such cases.