In February of this year, Change Health, a subsidiary of UnitedHealth, made headlines when it fell victim to a sophisticated cyber attack, later identified as a variant of ransomware known as AlphaV, also operating under the alias BlackCat ransomware group. The attackers demanded a staggering $22 million to return the stolen data and decrypt the victim database.
United Health, the parent company, opted to meet the hackers’ demands, paying the hefty sum to safeguard the sensitive patient information from potential sale on the dark web.
However, just when it appeared that the situation had calmed, another group, RansomHUB, emerged and claimed responsibility for a new threat. Demanding $20 million to prevent the public release of the stolen data, RansomHUB is revealed to be an affiliate of the BlackCat ransomware gang, targeting Change Healthcare’s IT infrastructure through vulnerabilities to steal information.
Despite not receiving 80% of their demanded ransom, RansomHUB is now threatening to leak the data unless UnitedHealth complies with their demands.
Interestingly, the initial $22 million payment to AlphaV did not deter RansomHUB’s extortion efforts. This development raises suspicion among security experts, who speculate that RansomHUB could be a splinter group of AlphaV, aiming to double-dip on ransom payments. Alternatively, they might have gained access to the stolen information independently and are leveraging it for further extortion.
Caught in the middle of this high-stakes cybercrime, Change Healthcare’s IT department is at a loss for how to proceed. Seeking assistance from forensic experts and law enforcement, they are grappling with the complexity of the situation and the threat it poses to their operations and reputation.