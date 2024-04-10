



UnitedHealth Group's Change Healthcare is facing a second extortion demand following a February ransomware attack that sent shockwaves throughout the industry. When the BlackCat cybercrime group which first hit the healthcare technology and payment processing giant, the effects have left patients struggling to get care and healthcare providers struggling to stay afloat financially. Changing healthcare would have paid the ransomware attackers in March, but the company now must decide how to respond to claims from another ransomware group, RansomHub, which claims to have 4TB of stolen data, per The register. Those data allegedly understands personally identifiable information about patients and active military personnel, as well as medical and dental records, payment and claims information, and source code files for Change Healthcare software solutions, e.g. SC Media.

Researchers have put forward several theories about how RansomHub could have obtained this data, if its claims were true. Some suggest that BlackCat may have reformed under a new name and is seeking a second payout. Others suggest that former BlackCat affiliates, harassed by BlackCat developers over their share of the initial extortion, kept the stolen data and joined RansomHub, The register reports. A conversation posted by a malicious resource sharing group, if genuine, adds weight to the latter theory, according to SC Media. It is possible that RansomHub separately compromised Change Healthcare. A researcher said SC Media that it is not uncommon for responders to a cyber incident to discover multiple threats within the victim's compromised environment. Records blockchain transactions linked to BlackCat, as well as claimReviews on crime forums suggest that Change Healthcare made a $22 million payment to the ransomware gang, although the company has not confirmed this. BlackCat operated with a ransomware-as-a-service model, in which developers create malicious code and affiliates then access victims' networks and deploy this ransomware. If victims pay, developers and affiliates each suffer a reduction in revenue. In the case of Change Healthcare, however, BlackCat may have recovered the entire alleged extortion payment. On March 3, a BlackCat affiliate said on a ransomware forum that BlackCat had not paid it its share of the Change Healthcare ransom, according to a cybersecurity journalist. Brian Krebs. The affiliate claimed to still have the stolen data. BlackCat responded by seemingly disbanding. From a broader perspective, this development from RansomHub highlights the difficulty of the question of whether or not to pay ransomware actors. Essential service providers, like healthcare organizations, need to get back up and running as quickly as possible, but paying doesn't necessarily solve the problem and means relying on cybercriminals who promise to delete data if they're paid, which apparently did not happen here, if the claims from RansomHub and the BlackCat subsidiary are true. And the far-reaching consequences of the attack on Change Healthcare raise questions not only about cybersecurity postures, but also about industry consolidation. The Rockefeller Institute of Government Remarks that Change Healthcare claimed to have impacted nearly one in three patients with its products and platforms, causing an industry-wide effect upon its disruption. The institute avoided calling for a breakdown of trust, but said policymakers should carefully weigh the risks of another Change Healthcare-style crisis when determining the right level of vertical and horizontal consolidation to allow or encourage. In addition to strengthening cybersecurity, it is also worth understanding the extent to which the healthcare industry relies on such a small number of entities for critical services, such as filling prescriptions or processing claims, and additional risk linked to the grouping of these different services within a single company. , declared the institute.

