For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.
In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcareâs network and threatened to leak reams of the companyâs sensitive health care data, received a $22 million paymentâevidence, publicly captured on Bitcoinâs blockchain, that Change Healthcare had very likely caved to its tormentorsâ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a different ransomware group claims to be holding Change Healthcareâs stolen data and is demanding a payment of their own.
Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcareâs stolen data, which it threatened to sell to the âhighest bidderâ if Change Healthcare didnât pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and âcanât sayâ how much itâs demanding as a ransom payment.
RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
While WIRED could not fully confirm RansomHubâs claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. âFor anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,â the RansomHub contact tells WIRED in an email.
âWe are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,â Change Healthcare said in an email to WIRED. âOur investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.â
Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHubâs data is unclear. âI obviously don’t know whether the data is realâit could have been pulled from elsewhereâbut nor do I see anything that indicates it may not be authentic,â he says of the data shared by RansomHub.
Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is âtelling the truth and does have Change HealthCareâs data,â after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly âgaining momentum.â
If RansomHubâs claims are real, it will mean that Change Healthcareâs already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name ânotchyâ posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the âaffiliateâ hackers who typically partner with ransomware groups and often penetrate victimsâ networks on their behalf.
