ClickCease A(nother) Ransomware Saga with a Twist

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

A(nother) Ransomware Saga with a Twist

Joao Correia

March 29, 2024 - Technical Evangelist

The healthcare sector has once again found itself at the center of a storm. On February 21, Change Healthcare, a titan in healthcare support services, suffered a devastating cyberattack by the notorious BlackCat/ALPHV group. This incident has sent shockwaves through the U.S. healthcare system, affecting hospitals, clinics, and pharmacies nationwide.

The Unfolding of the Cyberattack


Change Healthcare, recently acquired by UnitedHealth Group in an $8 billion deal, is integral to the healthcare infrastructure in the U.S. and several other countries. They process an astonishing 15 billion insurance claims annually, totaling over $1.5 trillion. The breach by BlackCat, the same group implicated in the Las Vegas casino attacks, highlights the pervasive vulnerabilities within the healthcare industry.

The attack’s modus operandi remains shrouded in mystery, though speculation points toward a combination of remote desktop and Active Directory brute-forcing techniques. Regardless of the entry point, the aftermath was clear: ransomware was deployed, crippling over 111 different services within Change Healthcare’s vast network. 

Due to the critical position of Change Healthcare in the industry, where it provides services to hospitals, clinics and pharmacies to professional and patients alike, the attack led to a nationwide healthcare paralysis, where hospitals couldn’t bill, pharmacies couldn’t process insurance, and countless patients were left in a state of uncertainty and financial distress.

As part of the ransomware deployment, a substantial amount of bitcoins was requested to free the encrypted data and pinky-swear delete simultaneously stolen data.

The Government Steps In


The ripple effects of the attack were so severe that the Department of Health and Human Services (HHS) intervened, issuing guidance to healthcare providers and insurance companies. This unprecedented step aimed to mitigate the crisis by encouraging flexibility in prior authorization rules and acceptance of paper claims, among other measures.

By March 7, Change Healthcare had restored prescription claim submissions and payment systems, with a full recovery of their electronic payments platform made by March 15. Yet, the financial and operational damages were already monumental.


The Plot Twists


The narrative took an unexpected turn when it was revealed that a bitcoin address linked to BlackCat/ALPHV received a ransom payment of 350 bitcoins, approximately $22 million. This transaction not only underscored the severity of the attack but also contributed to a notable surge in bitcoin prices earlier this month, where it soared past 60k USD per bitcoin.

But here’s where the story deviates into the realms of cyber noir. The BlackCat data leak site, typically seized by law enforcement in such high-profile cases, displayed a seizure notice. However, this was no ordinary takedown. The FBI and other agencies have not claimed responsibility – and in fact, denied it – and discrepancies in the seizure notice have led to suspicions of a fake. Further stirring the pot, an alleged BlackCat affiliate claimed the group reneged on sharing the ransom proceeds, suggesting an internal fallout or a calculated exit scam.

No honor among thieves is a tale as old as time.

It’s also noteworthy that the BlackCat/ALPHV affiliate who came out against the ransomware-as-a-service provider implied that it still held data on many other healthcare industry organizations, including financial and medically-relevant personally identifiable information on patients.


The Very Real Problem With Critical Infrastructure


Nation states have been trying to find ways to secure their critical infrastructure from cyberattacks. It’s important to note that it’s not just about preventing a pipeline from bursting, or a centrifuge at a nuclear plant going haywire. Crippling incidents like the Change Healthcare affect the daily, and very real, lives of millions of citizens. It impacts the ability to do things we take for granted, like filling prescriptions or seeing a doctor when necessary.

A series of such incidents, triggered at the right moment across multiple industries, can paralyze the daily routine of millions, and wreak havoc on society. Industries like aviation or even heavy industry are more visible when something goes wrong – but what if water stopped flowing in your tap at home? What if the power went out during a blizzard? What if the trains no longer arrived? Or the subway couldn’t run? Or, what if the AC systems nationwide were suddenly and simultaneously locked on high?

Lessons and Reflections


This saga serves as a reminder of the fragility of our interconnected healthcare systems and the audacity of cybercriminals. It’s a cautionary tale of not just the vulnerabilities in our digital infrastructure but also of the unpredictable, almost cinematic twists that can emerge in the shadowy world of cybercrime.

As healthcare professionals and cybersecurity experts dissect this incident, the focus turns to resilience and recovery. It’s an urgent call to bolster our defenses, refine our disaster recovery plans, and ensure that when – not if – the next attack comes, we are better prepared.

The BlackCat/ALPHV incident transcends the usual ransomware attack narrative, revealing layers of complexity and intrigue that could rival any spy thriller. Yet, the real-world consequences of such attacks are far from entertaining, highlighting the critical need for robust cybersecurity measures in safeguarding our healthcare systems.

As this story continues to unfold, it serves as a compelling reminder of the ongoing battle between cybersecurity defenders and cybercriminals, a saga that remains far from over.


A(nother) Ransomware Saga with a Twist
Article Name
A(nother) Ransomware Saga with a Twist
On February 21, Change Healthcare suffered a devastating ransomware attac by the notorious BlackCat/ALPHV group. Learn more
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter