When the cyber crime group BlackCat first hit the health technology and payments processing giant, the effects left patients struggling to get care and health-care providers struggling to stay afloat financially. Change Healthcare reportedly paid off the ransomware attackers in March, but now the company must decide how to respond to claims from another ransomware group, RansomHub, which says it has 4 TB of stolen data, per The Register.
That data allegedly includes personally identifying information on patients and active military personnel, as well as medical and dental records, payments and claims information and source code files for Change Healthcare software solutions, per SC Media.
Researchers have posed several theories on how RansomHub could have gotten this data, if its claims are true.
Some suggest BlackCat may have reformed under a new name and is seeking a second payout. Others suggest that former BlackCat affiliates — stiffed by BlackCat developers on their share of the original extortion — held onto the stolen data and joined up with RansomHub, The Register reports. A conversation posted by a malware resource sharing group, if genuine, adds some weight to the latter theory, per SC Media.
Possibly, RansomHub could have separately compromised Change Healthcare. A researcher told SC Media that it is not uncommon for responders to a cyber incident to discover several threats inside a victim’s compromised environment.
Records of blockchain transactions linked to BlackCat, as well as claims on criminal forums, suggest Change Healthcare made a $22 million payment to the ransomware gang, although the company has not confirmed.
BlackCat operated with a ransomware-as-a-service model, in which developers create malicious code and affiliates then gain access to victim networks and deploy that ransomware. If victims pay, developers and affiliates each take cuts of the earnings.
In the case of Change Healthcare, however, BlackCat may have made off with the entirety of the alleged extortion payment. On March 3, a BlackCat affiliate said on a ransomware forum that BlackCat hadn’t paid him his share of the Change Healthcare ransom, per cybersecurity journalist Brian Krebs. The affiliate claimed to still have the stolen data.
BlackCat responded by apparently dissolving.
Taking a broader look, this RansomHub development points to the difficulty of the question over whether to pay ransomware actors. Providers of essential services, like health-care organizations, need to become operational again as fast as possible, but paying doesn’t necessarily resolve the problem and means relying on cyber criminals’ promises to delete data if paid — something that apparently did not happen here, if the claims from RansomHub and the BlackCat affiliate are true.
And the far-reaching impacts of the attack on Change Healthcare don’t only raise questions about cybersecurity postures but also about sector consolidation.
The Rockefeller Institute of Government notes that Change Healthcare has claimed to impact nearly one in every three patients with its products and platforms — which caused a sectorwide effect when it was disrupted. The institute avoided calling for trustbusting but said that policymakers should carefully weigh the risks of another Change Healthcare-style crisis when determining the right level of vertical and horizontal consolidation to permit or encourage.
“In addition to shoring up cybersecurity, it is also worth understanding how much of the health-care industry relies on so few entities for critical services, such as filling prescriptions or processing claims, and the added risk from having these different services consolidated within a firm,” the institute said.