Change Healthcare, a leading U.S. healthcare giant, has reportedly made a $22 million extortion payment to the BlackCat ransomware group, also known as “ALPHV,” as the company grapples with a cyberattack that has disrupted prescription drug services across the country. The cybercriminal responsible for providing BlackCat with access to Change’s network has alleged that the crime gang cheated them out of their share of the ransom and still has the sensitive data that Change paid to have destroyed. As a result of this disclosure, BlackCat has announced that it is ceasing operations entirely.

The cyber intrusion at Change Healthcare that led to the disruption of important healthcare services began in the third week of February. The attack, orchestrated by BlackCat, has resulted in the disruption of prescription drug deliveries for hospitals and pharmacies nationwide for nearly two weeks. On March 1, a cryptocurrency address linked to BlackCat received a payment of approximately $22 million. Shortly after, a BlackCat affiliate posted a complaint on a Russian-language ransomware forum, revealing that Change Healthcare had paid a ransom to prevent four terabytes of stolen data from being published online. The affiliate claimed that BlackCat had received the $22 million payment but failed to compensate them as agreed upon.

Change Healthcare has neither confirmed nor denied making the payment and has stated that its focus is on investigating the cyberattack and restoring services. Despite the reported payment, the affiliate who disclosed the incident stated that the stolen data, including sensitive information from Medicare and other major insurance and pharmacy networks, is still in their possession. This turn of events indicates that Change Healthcare’s strategy to prevent data leakage may have backfired.

The revelation by the affiliate regarding the non-payment of ransom appears to have led to BlackCat’s decision to shut down its operations. The group, which was targeted by law enforcement agencies in late December 2023, has now closed its operations and put its ransomware source code up for sale. This exit scam, as described by security experts, involves withholding ransom payment commissions from affiliates and abruptly ceasing all services.

Fabian Wosar, head of ransomware research at Emsisoft, has suggested that BlackCat’s actions may be an attempt to defraud its affiliates by shutting down operations without fulfilling their obligations. The potential repercussions of this exit scam are significant, as the affiliate still retains the stolen data and could demand additional payment or leak the information independently. Security researcher Dmitry Smilyanets has warned against trusting criminals, emphasizing that their promises hold no value.

The demise of BlackCat follows the collapse of another major ransomware group, LockBit, which was dismantled by the FBI and the U.K.’s National Crime Agency in a coordinated operation. LockBit attempted to re-establish its operations but lost credibility after failing to follow through on threats to release hacked data. These incidents highlight the risks associated with paying cybercriminals to delete stolen data, as victims may not receive the promised decryption keys or data deletion.

Overall, the recent developments involving Change Healthcare, BlackCat, and LockBit underscore the evolving threat landscape posed by ransomware groups and the importance of robust cybersecurity practices in safeguarding sensitive data. As organizations continue to grapple with these challenges, the need for vigilance and resilience against cyber threats remains paramount.

Source link