Explore our Topics:

Change Healthcare stolen data appears on dark web

Despite paying the initial ransom, Change Healthcare’s hijacked data appears at risk of release by a related but disgruntled cybergroup.
By admin
Apr 18, 2024, 2:21 PM

The bottom line

Paying ransom is no guarantee stolen data will be returned and the victim will be safe from additional threats by cybercriminals.

What happened

An affiliate of AlphV, the ransomware-as-a-service (RaaS) group behind the Change Healthcare cyberattack, has threatened the release of the hijacked data on the dark web via the leak site maintained by the group RansomHub, according to numerous sources.

RansomHub issued a warning to Change Healthcare and UnitedHealth that it needed to pay an unspecified amount to prevent the data release — they posted a countdown clock on their leak site as well as screenshots indicating the types of information and other organizations included in the stolen data set (source: WIRED).

What it means

In the debate on whether organizations should pay ransoms, this development highlights additional risks to consider.

It isn’t often clear who has the stolen data.  The RaaS, the affiliate that actually carries out the attack, or both may have possession of the stolen data. Screenshots can be useful, but there is no easy way to verify claims made by cybercriminals.

Despite their increased sophistication, cybercriminals are unreliable and volatile. In the Change Healthcare case, the affiliate was disgruntled due to not getting an expected share of the ransom from AlphV, claiming the RaaS group took the money as an “exit scam.” The affiliate appears to be using the data to recoup their lost share from the victim.

A closer look

In many ransomware attacks, an affiliate uses a RaaS group’s program to infiltrate and hijack the victim’s data. The affiliate, known as Notchy, alleged AlphV took the entire ransom without sharing as agreed with affiliates — who typically get 80% of the total. RansomHub then listed 4TB of Change Healthcare data on its leak site, including personal health information (PHI) for patients, including military personnel, as well as dental records, claims and payment info, and insurance records. It named several major health plans and insurance companies whose data is found in the stolen cache.

This would be the second time Change Healthcare faces a ransom situation for the same data from the initial February 2024 RaaS attack.

There has been wide speculation among security experts that RansomHub is simply the newest iteration of AlphV, which the leak site has denied.

Follow the story …

Show Your Support


Newsletter Logo

Subscribe to our topic-centric newsletters to get the latest insights delivered to your inbox weekly.

Enter your information below

By submitting this form, you are agreeing to DHI’s Privacy Policy and Terms of Use.