ALPHV/BlackCat threatens to leak data stolen in Change Healthcare cyberattack


The ALPHV/BlackCat ransomware group has claimed responsibility for the cyberattack that targeted Optum, a subsidiary of UnitedHealth Group (UHG), causing disruption to the Change Healthcare platform and affecting pharmacy transactions across the US.

ALPHV/BlackCat is back

Last December, US law enforcement successfully shut down the ransomware group’s websites, and the FBI developed a decryption tool. Despite this setback, the group quickly recovered and resumed its activities.

On Wednesday, the group published a statement on their leak site, claiming that they stole 6TB of Change Healthcare’s sensitive data, including:

  • Personally identifiable information (PII) belonging to US military/navy personnel
  • Medical records
  • Dental records
  • Payments information
  • Claims information
  • Patients’ PII including phone numbers, addresses, Social Security numbers, emails, etc.
  • 3000+ source code files for Change Healthcare solutions
  • Insurance records, and more.

They have also listed affected Change Healthcare’s partners, claiming to have their sensitive data as well.

Optum has updated its security notice yesterday, stating that they are still working on restoring the impacted Change Healthcare systems, and assuring that Optum, UnitedHealthcare and UHG systems have not been affected.

Healthcare organizations should be on the lookout

On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) have published a joint cybersecurity advisory about the ALPHV/BlackCat group, noting their recent special focus on targeting US healthcare organizations.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the agencies said, and speculated that it’s a consequence of ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after the December 2023 takedown.

In the security advisory, the agencies have outlined the latest TTPs of the group.

To gain initial access, ALPHV/BlackCat affiliates use social engineering techniques and open source research to obtain user credentials. They then deploy remote access software such as AnyDesk, Mega sync, and Splashtop to prepare for data exfiltration, and additional legitimate remote access and tunneling tools for further access.

After moving the victims’ data on their Mega.nz or Dropbox accounts, they proceed to deploy the ransomware and encrypt the data.

“ALPHV/BlackCat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with ‘vulnerability reports’ and ‘security recommendations’ detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment,” the agencies noted.

FBI, CISA, and HHS have provided indicators of compromise (IoCs) and urge organizations to implement recommendations to minimize the possibility of falling victim to a ransomware attack launched by ALPHV/BlackCat or its affiliates.





Source link