ALPHV/BlackCat, the gang behind the Change Healthcare cyberattack, has received more than $22 million in Bitcoin in what might be a ransomware payment.
Dmitry Smilyanets, an intelligence analyst at infosec outfit Recorded Future, spotted a Bitcoin wallet believed to be linked to ALPHV received 350 Bitcoins, right now worth at least $22 million, in a single transaction on March 1.
Change’s parent UnitedHealth Group declined to answer The Register‘s specific questions, including whether it paid off the ransomware gang. “We are focused on the investigation,” spokesperson Tyler Mason told The Register on Monday.
Change Healthcare provides IT services to more than 70,000 American pharmacies and hospitals, which use the supplier’s technologies to process insurance claims and complete prescription orders, among other things.
The org was hit with BlackCat ransomware late last month, causing systems to be taken offline, which in turn disrupted prescriptions and other services at thousands of locations across the US, including pharmacies run by CVS and Walgreens.
It also appears ALPHV may have stolen the $22 million from its affiliate crew that attacked the healthcare IT provider in the first place. Gangs like the Russian-speaking ALPHV effectively rent out their ransomware to affiliates, who do the actual job of infecting victims and take a cut of any money paid to the malware’s developers.
In a subsequent report, Recorded Future’s Smilyanets shared a screenshot of ALPHV’s forum claiming to be written by the affiliate that broke into Change’s network, deployed the BlackCat ransomware, and allegedly stole massive amounts of sensitive data.
According to the affiliate’s post, after receiving the payment, ALPHV then suspended their account, “emptied the wallet and took all the money.”
The affiliates claim to still have 4TB of “critical data” nabbed from Change and its partners, including Medicare and Tricare, CVS-CareMark, Health Net, Metlife, and Teachers Health Trust. According the crooks, Change is worried the data will be leaked.
We should also note that this is a drop from the original 6TB the miscreants claimed to have exfiltrated from the compromised Change Healthcare IT environment.
Plus, the affiliates issued their own warning about working with ALPHV crooks: “Be careful everyone and stop deal[ing] with ALPHV.”
While it’s probably too soon for the Change Healthcare folks, we hope someone out there appreciates the irony in this. ®