UnitedHealth Confirms Last Month’s Ransomware Hack: BlackCat Strike Back

Rate our article

UnitedHealth’s health-tech subsidiary, Change Healthcare, was targeted by a ransomware attack, allegedly orchestrated by the BlackCat/ALPHV ransomware gang, on February 21, 2024, disrupting operations of hospitals and pharmacies across the U.S. The attack has been linked to significant delays in drug prescriptions, with UnitedHealth initially suspecting a nation-state-associated threat, which was later confirmed to be the cybercrime group BlackCat/ALPHV.

Key Insights

  • UnitedHealth’s subsidiary Change Healthcare was hit by a ransomware attack on February 21, 2024.
  • The attack disrupted operations in hospitals and pharmacies throughout the U.S.
  • Change Healthcare is a major processor of prescription medications, handling transactions for over 67,000 pharmacies.
  • It processes approximately 15 billion healthcare transactions annually and holds data for one in three U.S. patient records.
  • This group is known for targeting U.S. infrastructure and previously faced FBI takedown actions.
  • The FBI’s takedown of BlackCat/ALPHV’s darknet leak site occurred in December, following the group’s extortion of over 1,000 networks and collection of nearly $300 million in ransoms.
  • Post-takedown, BlackCat/ALPHV has been encouraged to target healthcare organizations.
  • UnitedHealth initially cited a “suspected nation-state associated cybersecurity threat actor” but later confirmed the attacker as BlackCat/ALPHV.
  • The extent of the stolen data during the attack has not been fully verified.
  • Security experts speculate negotiations might be underway between Change Healthcare and the hackers.

American healthcare group UnitedHealth has confirmed a ransomware attack on its health-tech subsidiary Change Healthcare. The ransomware attack occurred on February 21 and continues to disrupt the daily operations of hospitals and pharmacies throughout the US.

Change Healthcare is one of the United State’s largest processors of prescription medications. The unit subsidiary of UnitedHealth is responsible for handling more than 67,000 pharmacies across the U.S. healthcare system. The medical company’s website processes an estimated 15 billion healthcare transactions annually and approximately one in three U.S. patient records.

The ransomware attack on the medical giant is alleged to have been orchestrated by the BlackCat/ALPHV ransomware gang. BlackCat is one of the most active ransomware group and has previously targeted U.S. infrastructures.

The cyberattack crippled the healthcare providers software in hospitals and pharmacies throughout the United States, leading to numerous delays in drug prescriptions for thousands of patients.

In December, the Blackcat/ALPHV ransomware group’s darknet leak site was seized by the FBI in an international operation. The US Justice Department announced that the ransomware group had compromised over 1,000 computer networks and amussed nearly $300 million in ransom payments.

This week, the CISA posted an update about the ransomware group activities. The CISA noted that after the FBI’s takedown in December, leaders of the BlackCat group encouraged affiliates to target healthcare organizations.

What We Know About the Incident

The cyberattack began on February 21, 2024, which prompted Change Healthcare to disconnect its systems. Reuters, a news agency, first reported the incident and suspected the BlackCat ransomware gang as the mastermind behind the attack.

In a filing with the SEC, the UnitedHealth group initially blamed a “suspected nation-state associated cybersecurity threat actor”  as the cause for the disruption. The healthcare company posted a notice informing clients of the disruption stating that

Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems.” 

On Thursday, February 22nd, Tyler Mason, vice president at UnitedHealth confirmed Reuter’s suspicions and stated that “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.” 

In a post on the BlackCat/ALPHV dark web leak site, the ransomware group claimed full responsibility for the cyberattack at Change Healthcare. The Russian-based ransomware group said in a post that it “stole millions of sensitive records including medical insurance and health data” from the medical corporation.

Despite the claim made by ALPHV/BlackCat, the attack could not be verified. The group removed the claim from their dark web leak site shortly after being posted. The reading behind the removal of the claim remains unclear. However, security experts suggest it is an indication that Change Healthcare could have entered into the process of negotiating with the hackers. 

It remains unclear as to how the threat actors managed to gain access to Change Healthcare’s system. BlackCat listed 28 victims on its dark web leak site in February without the inclusion of Change Healthcare. The number of victims recorded is a significant drop compared to before the FBI’s takedown. 

Allan Liska, a ransomware researcher from cybersecurity firm Record Future, says “Because we can’t arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can’t stop them.

In another incident,  the UK’s National Crime Agency led an international operation against the Lockbit ransomware group. The UKNCA hijacked the group’s ransomware infrastructure, seizing several dark web sites, and gaining vital information from its operators. However, last week, Lockbit struck back by launching a new dark website with a countdown timer.