When the payment processor Change Healthcare was breached in a ransomware attack last month as part of an incident that crippled parts of the U.S. health care system, the group that claimed responsibility said it had stolen some 6 terabytes of data.
Now, a data extortion site is giving Change Healthcare until April 20 to buy the majority of that data before it’s sold to the highest bidder.
The operators of RansomHub, a site on the dark web used to auction off previously stolen data or conduct new ransomware attacks, posted a notice on Sunday saying they were in possession of “over 4 TB of highly selective data” that came from the Feb. 21 attack on Change Healthcare.
The ransomware group known as ALPHV or BlackCat claimed responsibility for the attack on Change Healthcare. The attack appears to have been carried out by an ALPHV associate known as “notchy,” with the understanding that the two entities would split the proceeds of any ransom paid. But after Change Healthcare’s parent company apparently paid a $22 million ransom, notchy claimed that ALPHV took that money and disappeared, scamming notchy out of their share.
CyberScoop reported last week that researchers with the blockchain intelligence firm TRM Labs observed the $22 million being moved around over the course of March and into early April, showing signs that the money was being laundered. Researchers note that 4 terabytes of data that notchy claimed to have been in possession of remains an untapped asset after the group was apparently stiffed of its share of the ransom.
Sunday’s message posted to RansomHub addressed Change Healthcare and UnitedHealth Group, its parent company, directly. “You have one chance in protecting your clients data,” the message reads, noting that the data has not yet been posted or shared anywhere else. “In the event you fail to reach a deal the data will be up for sale to the highest bidder here.”
A representative for UnitedHealth Group did not respond to a question about the threat.
When asked for proof that the site is actually in possession of Change Healthcare data, a representative for RansomHub told CyberScoop to “keep [paying] attention to our blog.” That representative did not address whether the site had yet been in contact with UnitedHealth Group.
ALPHV claimed to have 6 terabytes of Change Healthcare data in a message posted briefly to its website in the days after the Change Healthcare attack. Notchy never claimed to have anything other than 4 terabytes. The difference between the two figures has never been explained.
A user going by the name “koley” launched RansomHub in early February on the RAMP cybercrime forum, researchers with cybersecurity firm KELA told CyberScoop on Tuesday. The site claimed to be “the next generation of ransomware” and offered affiliates a fixed 10% split of proceeds.
The site, which has claimed 31 victims on its blog, not including Change Healthcare, also included rules such as prohibiting attacks on the Russian-aligned Commonwealth of Independent States countries, as well as Cuba, North Korea, China and Romania. Other rules included no repeated attacks on the same target, that affiliates must fulfill the terms of agreements made with victims and a prohibition on attacks against nonprofit organizations.
“Our team members are from different countries and we are not interested in anything else, we are only interested in dollars,” a message posted to the group’s website reads.
In a conversation with notchy on the RAMP forum last month, Koley speculated that perhaps ALPHV was “planning to end with fraud” after getting “hacked” by the FBI in December 2023, according to a copy of the exchange captured by KELA. The FBI conducted a partial disruption of ALPHV’s site in December, but ALPHV managed to pull some of it back online and carry on operations.
“Save your evidence,” koley said, adding that ALPHV’s decision to take the money and run would hurt his reputation in the criminal underground. “If he does not pay you, I believe many people will leave him. He will lost more than 22M $. If he still has the dignity of a man he should return it to you at least or give you part of it.”
In a message Monday to VX-Underground, an online repository of malware and analysis, the RansomHub representative said that “many” ALPHV affiliates “are actively joining us.”
