The recent cyberattack on Change Healthcare, carried out by the ALPHV/BlackCat gang, has taken a new turn with the revelation that the gang has received a hefty sum of $22 million in Bitcoin, possibly as a ransomware payment. Dmitry Smilyanets, an intelligence analyst at Recorded Future, discovered a Bitcoin wallet linked to ALPHV that received 350 Bitcoins, equivalent to at least $22 million, in a single transaction on March 1.
In response to inquiries about whether the ransomware gang was paid off, Change Healthcare’s parent company, UnitedHealth Group, refused to provide specific answers, stating that they are currently focused on the investigation. Change Healthcare is a crucial IT service provider for over 70,000 American pharmacies and hospitals, facilitating insurance claims processing and prescription orders, among other services.
The cyberattack inflicted by the BlackCat ransomware on Change Healthcare last month disrupted operations at numerous locations in the US, including pharmacies operated by major chains like CVS and Walgreens. It appears that ALPHV may have actually stolen the $22 million from its affiliate crew responsible for the initial attack on the healthcare IT provider. These criminal organizations often rent out their ransomware to affiliates who execute the attacks and share in the proceeds.
Recorded Future’s Smilyanets later shared a screenshot of ALPHV’s forum where an affiliate claimed to have breached Change’s network, deployed the BlackCat ransomware, and absconded with substantial amounts of sensitive data. Following the payment receipt, ALPHV reportedly closed the affiliate’s account, emptied the wallet, and seized all the money. The affiliates still possess 4TB of crucial data from Change and its partners, including Medicare, Tricare, CVS-CareMark, Metlife, and others, with the threat of leaking the data looming.
It is worth noting that the affiliates originally boasted of extracting 6TB of data from Change Healthcare’s compromised IT environment, suggesting that not all the stolen data has been accounted for. Furthermore, the affiliates issued a cautionary note to others about engaging with the ALPHV criminals, warning them to be wary of dealing with the group.
While the repercussions of this incident are undoubtedly significant for Change Healthcare and its partners, there is an ironic twist to the situation that may not be lost on some observers. As the investigation into the cyberattack and ransomware payment unfolds, it serves as a stark reminder of the ongoing threat posed by malicious actors in the digital realm.