For months, Change Healthcare has confronted an immensely messy ransomware debacle that has left lots of of pharmacies and medical practices throughout the US unable to course of claims. Now, due to an obvious dispute throughout the ransomware felony ecosystem, it might have simply change into far messier nonetheless.
In March, the ransomware group AlphV, which had claimed credit score for encrypting Change Healthcare’s community and threatened to leak reams of the corporate’s delicate well being care knowledge, obtained a $22 million fee—proof, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very seemingly caved to its tormentors’ ransom demand, although the corporate has but to substantiate that it paid. However in a brand new definition of a worst-case ransomware, a totally different ransomware group claims to be holding Change Healthcare’s stolen knowledge and is demanding a fee of their very own.
Since Monday, RansomHub, a comparatively new ransomware group, has posted to its dark-web web site that it has 4 terabytes of Change Healthcare’s stolen knowledge, which it threatened to promote to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it isn’t affiliated with AlphV and “can’t say” how a lot it’s demanding as a ransom fee.
RansomHub initially declined to publish or present WIRED any pattern knowledge from that stolen trove to show its declare. However on Friday, a consultant for the group despatched WIRED a number of screenshots of what gave the impression to be affected person data and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its title.
Whereas WIRED couldn’t absolutely verify RansomHub’s claims, the samples counsel that this second extortion try towards Change Healthcare could also be greater than an empty menace. “For anybody doubting that we now have the info, and to anybody speculating the criticality and the sensitivity of the info, the photographs ought to be sufficient to indicate the magnitude and significance of the state of affairs and clear the unrealistic and infantile theories,” the RansomHub contact tells WIRED in an e-mail.
“We’re working with legislation enforcement and out of doors specialists to analyze claims posted on-line to know the extent of doubtless impacted knowledge,” Change Healthcare stated in an e-mail to WIRED. “Our investigation stays lively and ongoing. There isn’t any proof of any new cyber incident at Change Healthcare.”
Brett Callow, a ransomware analyst with safety agency Emsisoft, says he believes AlphV didn’t initially publish any knowledge from the incident, and the origin of RansomHub’s knowledge is unclear. “I clearly do not know whether or not the info is actual—it may have been pulled from elsewhere—however nor do I see something that signifies it will not be genuine,” he says of the info shared by RansomHub.
Jon DiMaggio, chief safety strategist at menace intelligence agency Analyst1, says he believes RansomHub is “telling the reality and does have Change HealthCare’s knowledge,” after reviewing the data despatched to WIRED. Whereas RansomHub is a brand new ransomware menace actor, DiMaggio says, they’re shortly “gaining momentum.”
If RansomHub’s claims are actual, it should imply that Change Healthcare’s already catastrophic ransomware ordeal has change into a form of cautionary story in regards to the risks of trusting ransomware teams to observe by means of on their guarantees, even after a ransom is paid. In March, somebody who goes by the title “notchy” posted to a Russian cybercriminal discussion board that AlphV had pocketed that $22 million fee and disappeared with out sharing a fee with the “affiliate” hackers who sometimes associate with ransomware teams and sometimes penetrate victims’ networks on their behalf.
