Category: RansomHub

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Image: Tamer Tuncay, Shutterstock.com.

A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.

In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”

A notification letter from Change Healthcare said the breach involved the theft of:

-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.

Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.

That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.

A breach notification from Change Healthcare.

A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”

It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI did not respond to a request for comment.

Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”

But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.

Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.

According to the HIPAA Journal, the biggest penalty imposed to date for a HIPPA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.

A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.

There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.

The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.

All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.

If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.

ICO and UK NCA Collaborate to Support Cyber Attack Victims

The Information Commissioner’s Office (ICO) and the UK’s National Crime Agency (NCA) have entered into a Memorandum of Understanding (MOU) to enhance support for victims of cyberattacks. Under this agreement, victims of cyberattacks and ransomware will receive comprehensive assistance from government agencies, aiming to reduce risks associated with data breaches and digital threats. Both organizations will work together, sharing information about incidents while ensuring that victim data remains confidential without consent. The agencies will also address the impact of attacks using scientific methods and professional support to mitigate risks.

RansomHub Ransomware Targets Planned Parenthood

RansomHub, a ransomware group possibly funded by Russian intelligence, has threatened Planned Parenthood, a non-profit organization focused on reproductive health, with a demand for $30 million. The group, previously linked to BlackCat (also known as ALPHV), has claimed it will sell the stolen data if their demands are not met. They have reportedly already put 1GB of the stolen data up for sale, applying pressure on the organization with a deadline approaching this weekend.

Cosmic Beetle Deploys SCRansom Ransomware

The Cosmic Beetle threat group, associated with the Kremlin, has begun deploying SCRansom ransomware targeting small and medium-sized businesses across Europe, Asia, Africa, South America, and parts of the Middle East. The ransomware primarily affects sectors including manufacturing, legal, education, healthcare, and technology, with recent attacks also impacting finance and hospitality businesses. Cosmic Beetle, an affiliate of RansomHub, is using a toolkit named Spacecolon to spread the Scarab Ransomware globally.

Poland Blocks Pegasus Spyware Investigation

NSO Group, the developer of the Pegasus surveillance software, has faced controversy for selling the software to private individuals who used it for unauthorized spying. Following its global misuse, several countries, including the U.S., Australia, India, Germany, and Poland, imposed bans on the software and launched investigations into the misuse. However, Poland’s special Parliamentary Commission has blocked the investigation, citing its unconstitutionality. Magdalena Sroka, head of the Pegasus Probe Commission, has condemned the ban, accusing it of being politically motivated by the previous government.

The post Latest Cybersecurity News Headlines on Google appeared first on Cybersecurity Insiders.

Google to Revise One-Time Password (OTP) Process

Google is set to introduce new rules for handling One-Time Passwords (OTPs) on Android devices. Starting soon, OTPs will be processed by Google’s spam filters with a delay of 20 seconds before reaching users. This move aims to enhance security by reducing the risk of OTP interception by fraudsters. Additionally, Google plans to remove fake or low-quality mobile applications from its Play Store to combat malware. These changes will initially affect users in India, Australia, Canada, parts of the United States, and Britain, with a broader rollout expected in the future.

WhatsApp to Introduce Usernames and PINs

WhatsApp, a subsidiary of Meta Inc., is preparing to replace mobile phone numbers with usernames and PINs for account access. This update, currently in beta testing in Singapore, Australia, and Canada, will soon be available globally. Initially, the feature will be rolled out to Apple iOS users, with plans to extend to other platforms later.

FBI and CISA Issue Joint Alert on RansomHUB

The FBI and CISA have issued a joint alert concerning RansomHUB, a ransomware group that has targeted approximately 200 companies in the past six months. Known also as Cyclops or Knight, the group is expanding its operations by incorporating members from other ransomware organizations such as BlackCat and Lockbit. Businesses are urged to strengthen their cybersecurity measures to protect against these evolving threats.

Radware Predicts Surge in DDoS Attacks

Radware has forecasted a dramatic increase in DDoS attacks, predicting 1,000 to 2,000 attacks per month for the remainder of 2024. This surge is expected to create public fear and political instability, potentially influencing the upcoming U.S. elections on November 5th, 2024. The rise in AI-driven cyber-attacks is anticipated to have significant political and social ramifications.

Rhysida Ransomware Data Still Usable, Claims Security Expert

In July 2024, the Rhysida Ransomware group announced it had stolen data from Ohio’s Franklin County following an attack on the City of Columbus. Despite claims by Columbus Mayor Andrew Ginther that the data was unusable, security researcher David Leroy Ross has argued that it contains sensitive information, such as names of domestic violence victims and police officers’ SSNs. The data was reportedly sold for $1.7 million on the dark web. The dispute is now under legal scrutiny, with Ross presenting evidence to media outlets to support his claims.

The post Trending Cybersecurity News Headlines on Google appeared first on Cybersecurity Insiders.

In February of this year, Change Health, a subsidiary of UnitedHealth, made headlines when it fell victim to a sophisticated cyber attack, later identified as a variant of ransomware known as AlphaV, also operating under the alias BlackCat ransomware group. The attackers demanded a staggering $22 million to return the stolen data and decrypt the victim database.

United Health, the parent company, opted to meet the hackers’ demands, paying the hefty sum to safeguard the sensitive patient information from potential sale on the dark web.

However, just when it appeared that the situation had calmed, another group, RansomHUB, emerged and claimed responsibility for a new threat. Demanding $20 million to prevent the public release of the stolen data, RansomHUB is revealed to be an affiliate of the BlackCat ransomware gang, targeting Change Healthcare’s IT infrastructure through vulnerabilities to steal information.

Despite not receiving 80% of their demanded ransom, RansomHUB is now threatening to leak the data unless UnitedHealth complies with their demands.

Interestingly, the initial $22 million payment to AlphaV did not deter RansomHUB’s extortion efforts. This development raises suspicion among security experts, who speculate that RansomHUB could be a splinter group of AlphaV, aiming to double-dip on ransom payments. Alternatively, they might have gained access to the stolen information independently and are leveraging it for further extortion.

Caught in the middle of this high-stakes cybercrime, Change Healthcare’s IT department is at a loss for how to proceed. Seeking assistance from forensic experts and law enforcement, they are grappling with the complexity of the situation and the threat it poses to their operations and reputation.

The post Another ransomware gang reclaims to have hacked United Health appeared first on Cybersecurity Insiders.