ALPHV/BlackCat exposes UnitedHealth hack details on leak blog


The ALPHV/BlackCat ransomware gang posted a blog Wednesday exposing intimate details about the UnitedHealth Group (UHG) cyberattack it claims to have carried out against UHG subsidiary Change Healthcare, affecting hospitals and pharmacies across the nation.

The 2200-word ALPHV/BlackCat post slammed the US healthcare conglomerate for lying about how much damage the breach had actually caused and for not revealing how much sensitive data had been exfiltrated during the hack.

“After 8 days and Change Health have still not restored its operations and chose to play a very risky game hence our announcement today,” ALPHV posted in its dark leak blog Wednesday afternoon.

ADVERTISEMENT

The group chided the California-based company for claiming the attack was “‘strictly related’ to Change Healthcare only and it was initially attributed to a nation state actor.”

UHG identified as such in its original 8K breach disclosure filing with the Securities and Exchange Commission (SEC), first announcing the hack on February 21st.

“Two lies in one sentence,” ALPHV wrote, declaring it was only when the group threatened to come forward that UHG changed their tune.

ALPHV/BlackCat blog Change healthcare
ALPHV/Blackcat dark web blog

The ransomware group also came forward to claim it had over 6T of “highly selective data,” stolen from Change Healthcare servers.

"Change Healthcare production servers process extremely sensitive data to all of UnitedHealth clients that rely on Change Healthcare technology solutions," ALPHV wrote. "Meaning thousands of healthcare providers, insurance providers, pharmacies,etc...," it added.

Personal data of millions stolen

“Anyone with some decent critical thinking will understand what damage can be done with such intimate data on the affected clients of UnitedHealth/UnitedHealth solutions as well, beyond simple scamming/spamming,” the group said.

ADVERTISEMENT

ALPHV/BlackCat said it exfiltrated the personal data and records of millions of individuals, to include:

  • Active US military/navy personnel PII
  • Patients PII including Phone numbers/addresses/SSN/emails/etc.
  • Medical and dental records
  • Financial payment information
  • Insurance records and claims information

The cartel also claims to have stolen 3000+ source code files for Change Health solutions.

Furthermore, the group listed a swath of major American healthcare entities allegedly compromised as part of the hack, including Medicare, Tricare, CVS-CareMark, Loomis, HealthNet, and MetLife.

“The vast amount of sensitive patient data stored within healthcare systems makes these organizations a dangerous target for ransomware groups, with the potential for far-reaching consequences,” said Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.

Costis said these types of attacks can "cripple organizational operations and, more importantly, compromise patient health and safety.”

Meanwhile, ending the blog with a "PS" addressed to "so-called" cyber intelligence, ALPHV made sure to note that it did not use the recently exposed ConnectWise ScreenConnect exploits to gain initial access to the Change Healthcare systems, as had been the talk among industry circles.

(The ScreenConnect critical vulnerabilities and software patches have been exposed in the wild since last month, but nearly 8,000 companies, most in the US, have not updated the ConnectWise software, leaving them at risk.)

And then strangely, as fast as the blog was posted by ALPHV, it was soon taken down.

Cybernews can only speculate the blog post was a chance for ALPHV/BlackCat to play hardball with UHG negotiators, and publicly embarrass the company in an attempt to finalize a successful ransom payment.

ADVERTISEMENT

$80 billion lost to healthcare ransomware attacks

The attack had forced Change Healthcare to disconnect its systems in an attempt to contain the breach, resulting in delays at major retail pharmacy chains across the US, and some hospitals.

In its latest update Tuesday, UHG said it had distributed “effective workarounds” for providers and pharmacists while it tries to restore systems.

“Ransomware attacks against US healthcare providers cost nearly $80 billion over the past seven years," according to Jon Miller, CEO & Co-founder of anti-ransomware company Halcyon.

Within that timeframe, 539 attacks were reported, 10,000 hospitals and clinics impacted, and over 52 million records compromised, Miller said.

Change Healthcare
Image by Shutterstock

Miller points out that "ransomware operators continue to victimize healthcare providers because the sector typically lacks the appropriate budgets and staff to maintain a reasonable security posture."

Criminal gangs like ALPHV, also know that if patient care is disrupted, a sense of urgency is created for the organization to get back up as quickly as possible, unlike in other sectors, he pointed out.

"The more pain and potential jeopardy [these ransomware groups] can inflict, the higher the potential payout," Miller said.

Change Healthcare platform systems handle payment and billing management, plus medical, insurance, and patient services, making it one of the largest health technology firms in the US.

ADVERTISEMENT

According to Becker’s Hospital Review, Change Healthcare services transactions for more than 85 million patients, or roughly 25% of the total US population – a fact that did not escape the ransomware group.

ALPHV/BlackCat threatens healthcare industry

First observed in 2021, ALPHV/BlackCat was also singled out Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA), which put out a ransomware warning, specifically urging the healthcare industry to be on special alert.

"This advisory, published after BlackCat was linked to the Change Healthcare cyberattack, warns that the healthcare sector has been the most commonly victimized out of the nearly 70 leaked victims," Costis said.

The Russian-linked cartel is known for its triple-extortion tactics and operating as a ransomware-as-a-service (RaaS), selling its signature BlackCat variant to criminal affiliates.

Costis noted that the advisory "contains updates to the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackCat from a December advisory and the FBI’s FLASH alert from April 2022."

Healthcare organizations should be "leveraging the MITRE ATT&CK framework," Costis said, validating their security controls against BlackCat’s TTPs laid out in the joint advisory.

Costis said this will help health organizations assess their security postures, pinpoint any vulnerabilities, and mitigate the risk of future attacks.

On February 15th, the US government put up a bounty of up to $15 million for information leading to the arrest of any of ALPHV/BlackCat members or affiliates.

ALPHV/BlackCat $15 reward
US offers up to $15M reward for information leading to arrest of ALPHV/BlacKCat members.
ADVERTISEMENT

This past December, after making waves in the September 2023 attacks on Las Vegas casino giants MGM Resorts and Caesars International, ALPHV/BlackCat had its website seized by the FBI, which it then unseized hours later in a back and forth cat and mouse game playing out on the dark web.

As part of the December operation, the FBI released a decrypter tool to help at least 500 victims restore their previously encrypted networks, saving them tens of millions in ransom payments.

Afterward, ALPHV threatened it would retaliate for the temporary takedown by extorting critical infrastructure providers and hospitals.

Although the FBI's short-lived tussle with the FBI put a dent in ALPHV’s operations, by January, the group appeared to have returned to “business as usual,” claiming numerous victims per day on its dark blog, including Canada's Trans-Northern Pipelines earlier this month.

“The vast amount of sensitive patient data stored within healthcare systems makes these organizations a dangerous target for ransomware groups, with the potential for far-reaching consequences,” said Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.“These attacks can cripple organizational operations and, more importantly, compromise patient health and safety,” Costis said. In its last line, ALPHV made sure to note that it did not use the recently exposed ConnectWise ScreenConnect exploits to gain initial access to the Change Healthcare systems.