Yet another hacker group demands ransom from Change Healthcare

According to Wired, which saw screenshots of the database, confirming the authenticity of the database is difficult, but it all points to the data being authentic. The RansomHub threat actor is apparently associated with an individual going by “Notchy”, who was the one to originally get duped by ALPHV.

RansomHub emerges

In late February 2024, the firm, arguably one of the biggest health tech companies in the United States, suffered a ransomware attack that sent ripples throughout the industry, as pharmacies and medical practitioners across the country were left unable to process claims.

In the days and weeks to follow, an affiliate of the infamous BlackCat (ALPHV) ransomware-as-a-service operation claimed responsibility for the attack, and demanded $22 million in cryptocurrency, in exchange for the decryption key and for not publishing sensitive data on the dark web.

Change Healthcare seemingly succumbed to the demands, as blockchain analysts soon found a $22 million transaction.

Things quickly turned sour as reports came in that the hackers that broke into Change Healthcare never got the money.

Ransomware-as-a-service works like this: One hacking group develops and maintains an encryptor, and then shares it with other groups, known as affiliates. Those that successfully breach a company and extort money are required to split the funds with the developers. In the case of Change Healthcare, all of the money went to the developers, who took it - and ran. They left a message - “GG” - and shut down the servers. The affiliates were left holding their data - allegedly, 4TB of sensitive customer information - prompting the new change of direction.

More from TechRadar Pro

• BlackCat ransomware gang shuts down servers after multi-million dollar UnitedHealth payout — but is this really the end?
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now