Category: Change Healthcare

In February of this year, a ransomware assault on Change Healthcare caused significant disruptions in medical supply chains and billing procedures, prompting the company to isolate its computer network and launch a clinical investigation.

Fast forward two months from the cyber onslaught, Andrew Witty, CEO of UnitedHealth, the parent company of Change Healthcare, appeared before the Senate to provide testimony regarding the digital breach. Acknowledging that the cyber attack on Change Healthcare was indeed a ransomware incident, Witty attributed it to the absence of multi-factor authentication, a foundational cybersecurity measure that every company, regardless of size, sector, or financial standing, should adhere to.

Multi-factor authentication entails requiring users to provide two or three verification factors to access their accounts, serving as a barrier against unauthorized access.

Initial estimates suggest the attack has resulted in a financial loss of $22 million thus far, with concerns mounting that the figure could soar into the billions by the third quarter of this year.

Interestingly, speculation arose from certain media outlets suggesting that Change Healthcare had struck a deal with the ALPHV ransomware group and paid a ransom to regain access to encrypted data. Despite reportedly paying around 350 bitcoins to the BlackCat ransomware group, the company continues to face threats of data exfiltration since April 2024 from another group known as RansomHUB, demanding $15 million for the deletion of pilfered information.

Further investigations revealed RansomHUB’s involvement in the attack, indicating that since severing ties with the BlackCat gang, they have embarked on their own venture, extorting ransom payments from their already targeted victims, as they possess all the stolen data on their servers.

Security experts suggest that this latest development could either be a scheme to extract more money or a genuine threat. Regardless, the victims find themselves caught in an ongoing saga, with no resolution in sight at least for the near future.

The post United Health CEO testifies before senate for ransomware attack appeared first on Cybersecurity Insiders.

Change Healthcare, a subsidiary of UnitedHealth Group, has confirmed the transfer of 350 bitcoins, equivalent to $22 million USD, to a crypto wallet owned by the ALPHV Ransomware group.

Despite complying with the ransom demand, concerns linger for the victim regarding the integrity of the promise made by the BLACKCAT, also known as ALPHV, ransomware group to refrain from leaking the stolen data on the dark web.

The looming threat of cybercriminals reneging on their agreements often plagues victims, as there is a risk that hackers might opt to release the pilfered data even after receiving the ransom, typically within 6 to 10 months or even a year.

The demand for fresh data on the dark web remains high, with data older than 11 months fetching less than anticipated returns for cybercriminals. Consequently, hacking groups typically expedite the sale of stolen data within 1 or 2 months of a breach.

Meanwhile, UnitedHealth has disclosed a staggering $872 million financial loss due to the cyber attack on Change Healthcare, during which hackers absconded with approximately 6TB of sensitive information from servers in February of this year.

Investigations have uncovered that the breach occurred in February, with the hackers making their presence known in March 2024. Presently, the BlackCat gang lies dormant following the FBI’s seizure of its servers, as they strategize their resurgence.

However, another ransomware syndicate, RansomHUB, claims to have re-penetrated Change Healthcare’s servers and is demanding a $15 million ransom.

Security experts later indicated that RansomHUB was formerly associated with BlackCat but has since severed ties with ALPHV to establish itself independently. Feeling slighted by the non-receipt of their share of the ransom as pledged, they now threaten to expose the data to potential buyers and other hackers.

Consequently, the victim finds themselves ensnared between two notorious criminal factions and may require the assistance of forensic experts to navigate this perilous situation. Regardless of the specific victim, the ramifications of this cyber attack will reverberate across the United States, impacting numerous pharmacies, hospitals, and medical practices.

The post Change healthcare faces data leak threat despite paying $22 million as ransom appeared first on Cybersecurity Insiders.

UnitedHealth recently disclosed that it has disbursed approximately $2 billion to its healthcare subsidiaries affected by a ransomware attack detected last month. The company also announced plans to roll out medical claims preparation software to assist customers in managing payments for medical bills against inventory lists.

Andrew Witty, CEO of UnitedHealth, confirmed the authenticity of the statement and reported that 90% of the pharmacy computer network systems impacted by the cyber-attack at Change Healthcare had been restored by the previous Sunday. As a result, the payment management software, crucial for processing medications and services covered by insurers, is expected to be fully operational by the upcoming weekend.

In response to the severity of the situation, U.S. Department of Health and Human Services Secretary Xavier Becerra and Deputy Andrew Palm held an emergency meeting with White House officials to address cyber risks stemming from the Change Healthcare cyber-attack. The meeting emphasized the importance of support from insurance companies and focused on strategies for assisting affected parties.

The rise in cyberattacks targeting the healthcare sector globally is deeply concerning, especially considering the potential for emergencies such as those witnessed during the Covid-19 pandemic lockdowns in April 2020 and 2021.

Furthermore, it is evident that cybercriminals, driven by profit, disregard the humanitarian implications of their actions, instead prioritizing their immediate gains or supporting governments engaged in digital attacks for geopolitical reasons.

Governments worldwide must unite with the singular goal of eradicating or, at the very least, significantly reducing such cyber threats. Mere measures such as cryptocurrency bans or the apprehension of individual criminals do little to address the root cause of these attacks and provide insufficient deterrence.

The post United Health spends $2 billion in ransomware recovery appeared first on Cybersecurity Insiders.

Alabama state websites down due to DDoS attacks

Alabama state websites experienced a cyber disruption today as several government URLs were targeted by a sophisticated attack initially thought to be a variant of Ransomware but later identified as a Distributed Denial of Service (DDoS) attack. The Alabama Office of Information Technology assured that there was no data breach during the incident, and the hackers only managed to briefly disrupt the systems. Interestingly, this incident occurred shortly after a similar cyber incident in France the previous week.

MadCat ransomware on the prowl

A new ransomware variant dubbed “MadCat” has emerged, with its operators attempting to deceive fellow cybercriminals by offering to sell stolen passport details of prominent figures from politics and Hollywood. A screenshot circulating on the internet claims to show 230,899 passport details of Polish citizens for sale. The criminal group behind MadCat demands 20 Monero cryptocurrency in exchange for the data, but instead of providing the promised information, they vanish after receiving payment through their Telegram channel.

Nissan data breach impacts about 100,000 people

Nissan Oceania, which made headlines last month due to a cyber attack, has reported that the breach potentially affected over 100,000 customers. Personal details such as employee information, NDAs, project data, design schematics, and partner/client information may have been compromised. The Akira Ransomware gang is suspected to be responsible for the attack, with a history of targeting companies like Mitsubishi, Renault, Skyline, Infiniti, LDV, RAM, and BYD.

Rhysida Ransomware claims to have sold data from servers related to Lurie Children’s Hospital of Chicago

The Rhysida Ransomware group claims to have sold stolen data from Lurie Children’s Hospital in Chicago after the hospital failed to meet their ransom demands or engage in negotiations. The hackers accessed data from MyChart systems, potentially compromising sensitive patient information.

Change Healthcare Ransomware incident to be probed by the government

The United States government has launched an investigation into a ransomware attack on Change Healthcare, which caused disruptions in medicine supply chains across the country due to payment processing delays. The probe, overseen by the Office for Civil Rights and monitored by a special team from the US Department of Health & Human Services, commenced on February 20th, 2024, the day the incident was discovered. The American Hospital Association estimates potential losses of up to $100 million for medical suppliers affected by such attacks.

FlagStar bank paid $1 million to CLOP Ransomware gang

FlagStar bank reportedly paid $1 million to the CLOP Ransomware gang after the group exploited vulnerabilities in MoveIT software to encrypt the bank’s data. Despite the illegal nature of the payment under American laws, if substantial evidence is found, the bank could face heavy penalties, and technology staff might also face legal consequences. The incident resulted in the leakage of information belonging to 800,000 US customers, with sensitive details like social security numbers potentially compromised.

The post Ransomware news trending on Google appeared first on Cybersecurity Insiders.

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

Image: Varonis.

In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.

On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.

“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”

Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.

Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.

BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.

However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.

The seizure notice now displayed on the BlackCat darknet website.

“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.

“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”

Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.

“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”

BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.

LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.

But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled out, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.

Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Exerts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.

Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.

Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.

Federal Trade Commission Clears X (formerly Twitter) of Data Security Violations

Following an investigation into the server operations of X, previously known as Twitter, the Federal Trade Commission (FTC) has announced that Elon Musk’s company has upheld user privacy and safeguarded their data. This statement comes in response to complaints filed by privacy advocates alleging that Twitter permitted third-party access to user information for research and advertising purposes.

The FTC’s probe revealed that while third parties were granted access, it was under the supervision of security experts who diligently protected internal documents, preventing unauthorized access.

LockBit Ransomware Targets ScreenConnect Servers

The notorious LockBit 3.0 ransomware group has resurfaced, this time targeting ScreenConnect Servers. Utilizing vulnerabilities, the hackers infiltrated the network of ConnectWise (formerly ScreenConnect), encrypting servers and demanding ransom for decryption. Despite law enforcement agencies worldwide dismantling LockBit infrastructure as part of ‘Operation Cronos,’ the group persists in its malicious activities.

AT&T Cellphone Network Outage Attributed to Software Update

AT&T has clarified that recent network outages affecting some customers were not the result of a cyberattack but rather a technical glitch stemming from a software update. Dismissing rumors linking the outage to a Chinese hacking group targeting multiple service providers, AT&T assures its customers that measures are in place to address such incidents effectively. Encouraging affected users to utilize Wi-Fi calling, AT&T aims to maintain connectivity during service disruptions.

While concerns persist regarding potential Chinese cyber threats to U.S. infrastructure, the Biden administration has taken proactive steps to mitigate risks. Collaboration between public and private entities, including information sharing, enhances defenses against state-sponsored attacks. With recent network outages affecting AT&T customers in Houston, Chicago, and Atlanta, alternative communication methods like Wi-Fi calling are recommended to ensure connectivity.

American Pharmacies Experience Medication Shortages Due to Ransomware Attack

Several American pharmacies reliant on online delivery services are grappling with medication shortages following a ransomware attack on their technology service provider, Change Healthcare. While investigations into the incident are ongoing, steps have been taken to isolate affected systems and mitigate risks. Efforts to ensure uninterrupted hospital operations and patient care are underway as recovery efforts continue. 

The post Cyber Attack news headlines trending on Google appeared first on Cybersecurity Insiders.