RansomHub says Change Healthcare data now up for sale

Change Healthcare data stolen in a February ransomware attack is allegedly up for sale, extortion group RansomHub announced Tuesday.

Screenshots from RansomHub’s leak site posted by Dark Web Informer and Emsisoft Threat Analyst Brett Callow Tuesday afternoon show the group listing the data for sale, claiming to have information from “tens of” insurance providers as well as personal information on patients, Change Healthcare source codes “and many more.”

The announcement comes one day after the group began leaking some of the alleged Change Healthcare data, including screenshots appearing to show data-sharing agreements with insurers and bills for patient care, BleepingComputer reported.

“The information being published by RansomHub is pretty convincing, with screenshots of legal documents (Trader Partner Agreements), Bills for Services to providers, Medicare claim information (which includes sensitive PII), payment information, and more,” Sean McNee, vice president of research and data at DomainTools, told SC Media. “The variety of data being leaked indicates that the data dump was not limited to one or a few systems. Indeed, if this data and more becomes fully leaked, it could be devastating to the individuals affected.”

Change Healthcare, which is owned by UnitedHealth Group subsidiary Optum, suffered a cyberattack on Feb. 21, leading to widespread operational disruptions at hospitals and pharmacies across the United States.

The attack was claimed by the ALPHV/BlackCat ransomware group, which subsequently shut down its leak site and made off with a $22 million ransom allegedly paid by Optum in an apparent exit scam against its own affiliates, possibly due to law enforcement pressure.

The affiliate responsible for the Change Healthcare attack, known as “Notchy,” is believed to have been recruited by RansomHub after being left emptyhanded by ALPHV/BlackCat, based on messages exchanged between a RansomHub admin and the admin of the malware resource-sharing group vx-underground last week.

RansomHub first claimed possession of 4TB of the stolen Change Healthcare data last Monday, giving the company an approximately 12-day deadline to negotiate a ransom before the info would be sold to the highest bidder.

“This comes as no surprise. We had previously outlined this scenario in our blog post. Notchy’s experience of being swindled has left the security of the data hanging until his demands are met. What’s unexpected is the sympathetic response from the public towards the threat actor, a viewpoint that I find shocking,” Ngoc Bui, cybersecurity expert at Menlo Security, told SC Media.   

As of Monday, RansomHub had stated Optum had five days to negotiate an agreement to prevent the sale of the data, making the Tuesday announcement a surprise.

“We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data. Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare,” Optum said in a statement provided to SC Media Tuesday afternoon.  

Change Healthcare ransomware fallout continues

In a Tuesday SEC filing, UnitedHealth Group reported that the Change Healthcare attack cost the company $872 million last quarter, with total costs from the attack expected to reach more than $1 billion by the end of the calendar year.  

The company has not confirmed whether it paid the reported $22 million ransom to ALPHV/BlackCat, although blockchain transaction records appear to support that the payment was made. Optum declined to say whether a ransom was paid in its response to SC Media’s inquiries.

“Some organizations operate under the false assumption that if they paid ransom money to a given group, they are now immune from additional attacks. Other organizations become much more attractive to targets from the moment they appear in the headlines. That is why it is fairly common for organizations to get critically hit again within short timeframes from previous attacks,” Semperis Director of Security Research Yossi Rachman told SC Media.

Also on Tuesday, the U.S. House Committee on Energy and Commerce’s Health Subcommittee held a hearing on “Examining Health Sector Security in the Wake of the Change Healthcare Attack.”  Witnesses testifying at the hearing included Robert Sheldon, senior director of public policy and strategy at CrowdStrike, as well as health organization directors and an orthopedic surgeon.

During the hearing, Congress members questioned witnesses about the continued, resounding impact of the attack on the U.S. healthcare system and potential strategies for preventing future attacks, while some also called for more federal support for healthcare cybersecurity.

Some lawmakers criticized Change Healthcare for its response to the attack, and for not making a representative available to be questioned at the hearing.

“[UnitedHealth Group] have a critical perspective and insights into the existing vulnerabilities of our healthcare system and they could also answer some lingering questions as we continue to hear from providers as their response to the attack continues,” stated Rep. Frank Pallone, D-N.J., in his remarks during the hearing. “[…] We need answers from the company because Change Healthcare’s platforms touch an estimated 1 in 3 U.S. patient records, and the attack has impacted 94% of hospitals nationwide.”

Possible victims of the Change Healthcare attack who believe their personal data may be leaked should be prepared to defend themselves against potential identity theft and other forms of fraud in the case that RansomHub sells the data to the highest bidder, Keeper Security Vice President of Security & Architecture Patrick Tiquet told SC Media. Tiquet also says victims should start changing their account passwords and consider using dark web tracking services to determine whether their info has been compromised.  

“As ransomware and other extortion schemes continue to evolve and diversify, more malicious actors potentially have access to stolen data. This makes the likelihood of multiple extortions even higher, as well as the odds of stolen data being sold,” added Nick Tausek, lead security automation architect at Swimlane, in comments to SC Media. “[…] This type of multiple extortion by various groups is bound to grow in frequency as options like ransomware-as-a-service become more common and more malicious actors have access to data from an attack.”