Yet another hacker group demands ransom from Change Healthcare

Code Skull
(Image credit: Shutterstock)

Change Healthcare’s ransomware fiasco is constantly going from bad to worse, as now a new threat actor has emerged with ransom demands in exchange for the stolen data.

Roughly a month and a half after initially detecting an attack, a different threat actor going by RansomHub is claiming to own the stolen data, and is asking Change Healthcare for more money. If the company doesn’t follow through, it will sell it to the highest bidder.

According to Wired, which saw screenshots of the database, confirming the authenticity of the database is difficult, but it all points to the data being authentic. The RansomHub threat actor is apparently associated with an individual going by “Notchy”, who was the one to originally get duped by ALPHV.

RansomHub emerges

In late February 2024, the firm, arguably one of the biggest health tech companies in the United States, suffered a ransomware attack that sent ripples throughout the industry, as pharmacies and medical practitioners across the country were left unable to process claims.

In the days and weeks to follow, an affiliate of the infamous BlackCat (ALPHV) ransomware-as-a-service operation claimed responsibility for the attack, and demanded $22 million in cryptocurrency, in exchange for the decryption key and for not publishing sensitive data on the dark web.

Change Healthcare seemingly succumbed to the demands, as blockchain analysts soon found a $22 million transaction.

Things quickly turned sour as reports came in that the hackers that broke into Change Healthcare never got the money.

Ransomware-as-a-service works like this: One hacking group develops and maintains an encryptor, and then shares it with other groups, known as affiliates. Those that successfully breach a company and extort money are required to split the funds with the developers. In the case of Change Healthcare, all of the money went to the developers, who took it - and ran. They left a message - “GG” - and shut down the servers. The affiliates were left holding their data - allegedly, 4TB of sensitive customer information - prompting the new change of direction.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.