The ransomware attack targeting medical firm Change Healthcare has been one of the most disruptive in years, crippling pharmacies across the US—including those in hospitals—and leading to serious snags in the delivery of prescription drugs nationwide for 10 days and counting. Now, a dispute within the criminal underground has revealed a new development in that unfolding debacle: One of the partners of the hackers behind the attack points out that those hackers, a group known as AlphV or BlackCat, received a $22 million transaction that looks very much like a large ransom payment.
On March 1, a Bitcoin address connected to AlphV received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time. Then, two days later, someone describing themselves as an affiliate of AlphV—one of the hackers who work with the group to penetrate victim networks—posted to the cybercriminal underground forum RAMP that AlphV had cheated them out of their share of the Change Healthcare ransom, pointing to the publicly visible $22 million transaction on Bitcoin's blockchain as proof.
That suggests, according to Dmitry Smilyanets, the researcher for security firm Recorded Future who first spotted the post, that Change Healthcare has likely paid AlphV's ransom. “You can see the number of coins that landed there. You don’t see that kind of transaction so often,” Smilyanets says. “There’s proof of a large amount landing in the AlphV-controlled Bitcoin wallet. And this affiliate connects this address to the attack on Change Healthcare. So it’s likely that the victim paid the ransom.”
A spokesperson for Change Healthcare, which is owned by UnitedHealth Group, declined to answer whether it had paid a ransom to AlphV, telling WIRED only that “we are focused on the investigation right now.”
Both Recorded Future and TRM Labs, a blockchain analysis firm, connect the Bitcoin address that received the $22 million payment to the AlphV hackers. TRM Labs says it can link the address to payments from two other AlphV victims in January.
If Change Healthcare did pay a $22 million ransom, it would not only represent a huge payday for AlphV, but also a dangerous precedent for the health care industry, argues Brett Callow, a ransomware-focused researcher with security firm Emsisoft. Every ransomware payment, he says, both funds future attacks by the group responsible and suggests to other ransomware predators that they should try the same playbook—in this case, attacking health care services that patients depend on.
“If Change did pay, it's problematic,” says Callow. “It highlights the profitability of attacks on the health care sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.”
The self-described AlphV affiliate who first posted evidence of the payment on RAMP, and who goes by the name “notchy,” complained that AlphV had apparently collected the $22 million ransom from Change Healthcare and then kept the entire sum, rather than share the profits with their hacking partner as they had allegedly agreed. “Be careful everyone and stop deal with ALPHV," notchy wrote.
That affiliate hacker also wrote that in their penetration of Change Healthcare's network, they had accessed the data of numerous other health care firms partnered with the company. If that claim is accurate, Recorded Future's Smilyanets points out, it creates the additional risk that the affiliate hacker still possesses sensitive medical information. Even if Change Healthcare did pay AlphV, the hacker affiliate could still demand additional payment or leak the data independently.
“The affiliates still have this data, and they’re mad they didn’t receive this money,” says Smilyanets. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
As ransomware payments go, $22 million would represent a remarkably profitable score for AlphV. Only a relatively small number of ransoms in the history of ransomware, such as the $40 million payment made by the financial firm CNA to the hackers known as Evil Corp, have been so large, says Emsisoft's Callow. “It’s not without precedent, but it’s certainly very unusual,” he says.
Regardless of whether Change Healthcare is confirmed to have paid that ransom, the attack shows that AlphV has pulled off a disturbing comeback: In December, it was the target of an FBI operation that seized its dark web sites and released decryption keys that foiled its attacks on hundreds of victims. Just two months later, it carried out the cyberattack that paralyzed Change Healthcare, triggering an outage whose effects on pharmacies and their patients have now stretched well beyond a week. As of last Tuesday, AlphV listed 28 companies on the dark web site it uses to extort its victims, not including Change Healthcare.
That site has now gone offline. As of Tuesday morning, it displayed what appeared to be a law enforcement seizure notice, but security researcher Fabian Wosar points out that the notice seems to have been copied from AlphV's last takedown. The reason for the group's disappearance—whether due to another law enforcement operation or AlphV's attempts to dodge its own cheated affiliates—is unclear. Ransomware trackers say AlphV has disappeared and rebranded several times before. Earlier incarnations under the name BlackCat, BlackMatter, and Darkside were all more or less the same group, security researchers note.
In fact, the hackers working under that Darkside handle were responsible for the 2021 Colonial Pipeline ransomware attack that triggered the shutdown of gas transportation across the Eastern Seaboard of the US and resulted in a brief fuel shortage in some East Coast cities. In that case, too, the victims paid the hackers' ransom. “It was the hardest decision I've made,” Colonial's CEO Joseph Blount later told a US congressional hearing.
Now, it seems, some of the same hackers may have forced yet another company to make that same hard decision.
Update 3/4/2024, 1:50 pm EST: Included additional contextual details about AlphV and related ransomware attacks.
Updated 3/5/2024, 10:30 am EST to note that AlphV's dark web site now displays what appears to be a law enforcement takedown message.
