UnitedHealth rumored to have paid $22M to ALPHV/BlackCat hackers

New rumors that ransomware victim UnitedHealth Group (UHG) and its Optum division have forked over a $22 million ransom payment over the weekend to the ALPHV/BlackCat hackers are being circulated on the dark web.

Apparently, a disgruntled hacker group made the claims after getting jilted out of their cut of the ransom payment by the infamous ALPHV gang – and as payback, decided to spill the beans about the ransomware deal-gone-bad on a Russian dark web forum Sunday.

What’s more, even though ALPHV allegedly took the money and ran, the hackers say they still have in their possession about 4TB of the sensitive data (out of 6TB) claimed to have been stolen in the breach.

“#ALPHV scamming affiliates? $22M paid and withdrawn,” X user @ddd1ms first posted about the ransomware gang related saga Monday.

@ddd1ms (aka intel analyst Dmitry Smilyanets, PMD at Recorded Future) attached a copy of the hacker's message, which was seen on the cybercriminal forum RAMP – which stands for known as Russian Anonymous Market Place – a place where hackers are known to trade, sell, and buy stolen data, among other services and goods.

The victim, UnitedHealth Group, has been reeling since a February 21st cyberattack on its health-tech subsidiary, Change Healthcare, began causing havoc for thousands of health providers across the US – making a $22M ransom payment not that surprising.

From hospitals to retail chains and small offices, Change Healthcare’s system-wide shut-down resulted in pharmacy back-ups and delays in provider payments, causing panic among patients who were unable to fill prescriptions and practitioners who were unable to pay their bills.

“We are affiliate plus who has been working with ALPHV for long time and on 1st of March 2024, the victim change healthcare - OPTU M paid ALPHV 22M as ransom to prevent data leakage and decryption key,” the hackers' message began.

To note: ALPHV, around since 2019, ransomware-as-a-service (RaaS) outfit, selling their signature BlackCat variant to other groups or “affiliates” for a cut of the profits.

The hackers then go on to say that after ALPHV received the $22M “decide to suspend our account and keep lying and delaying when we contacted ALP HV [sic] admin on TOX.

(TOX chat is an open source messaging app commonly used by ransomware gangs to communicate securely, similar to Telegram.)

Next thing the hackers knew, after getting blown off by both the gang's administrator and coder, ALPHV had “emptied the wallet and took all the money,” they wrote.

The hackers then provided a “huge” list of Change Healthcare partners that they claim to still “have sensitive data for."

  • Medicare
  • Tricare
  • CVS-CareMark- Loomis
  • Davis Vision
  • Health Net
  • MetLife
  • Teachers Health Trust
  • Tens of insurance companies and others AND more!

The same list was given in its entirely by ALPHV/BlackCat when they posted UnitedHealth Group and Change Healthcare as victim on its dark leak site on February 29th, so not that exciting.

ALPHV/BlackCat blog Change healthcare
ALPHV/Blackcat dark leak site. Image by Cybernews

The kicker is that the hackers ended the post with a link to what they claim is ALPHV/BlackCat’s crypto payment address to show “PROOF of ALPHV scam.”

“Be careful everyone and stop deal with ALPHV,” the hackers said, signed by “nochy” and sealed with an X.

So far, ALPHV has not responded to the accusations, although we can surmise the gang will eventually reply, often known for taking time to craft lengthy posts to tell their 'side of the story.'

Unfortunately, Change Healthcare processes health data for about 25% of the US population the real victims in this case – especially because it is likely that if the hackers are telling the truth, they will go on to either retry and extort UHG for more money, or more probable, try and sell the remaining “critical data” on the dark web to recoup their losses.

The Russian-linked ALPHV/BlackCat cartel is known for its triple-extortion tactics and have netted tens of millions from nearly 1000 victims in the past year according to the FBI.

More from Cybernews:

Anthropic: new Claude 3 AI outperforms rivals GPT-4, Gemini 1.0

SpaceX launches Google-backed satellite to fight climate change

American Express says customer data exposed in third-party breach

What the most popular FemTech apps know about you

CHIPS Act threatens Taiwan’s security and hurts the US, researchers warn