A Reuters report has popped onto my radar where it details that UnitedHealth’s tech unit Change Healthcare has been pwned by the BlackCat ransomware group. And the company confirms this. Which effectively confirms this story that I recently wrote:
UnitedHealth Group said on Thursday the cyberattack at its tech unit, Change Healthcare, was perpetrated by hackers who identified themselves as the “Blackcat” ransomware group.
The statement confirms a Reuters report on Monday. UnitedHealth had initially blamed a “suspected nation-state associated cybersecurity threat actor” for the disruption.
The hack, disclosed last Wednesday, has had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.
The company said its experts were working with law enforcement authorities and third-party consultants to gauge the impact on its customers and patients.
“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” UnitedHealth said.
In a message posted on its darknet site, which was quickly deleted, the group known as “Blackcat” or “ALPHV” said on Wednesday it stole millions of sensitive records, including medical insurance and health data, from the company.
I have two comments on this story. Starting with Nic Finn, Senior Threat Intelligence Consultant at GuidePoint Security:
Following December’s law enforcement disruption of their data leak site, Alphv, also known as BlackCat, has vowed increasingly aggressive actions and removed ostensible restrictions on targeting critical infrastructure and healthcare.
While Alphv may have notionally prohibited targeting such organizations in the past, the group has been actively attacking healthcare organizations for a while now, with several large healthcare providers and networks impacted in 2023. Of the attacks impacting healthcare we observed in 2023, Alphv was responsible for nearly 10%, second only to LockBit.
While we have seen several healthcare organizations impacted by Alphv in 2024, it remains to be seen whether this is an intentional increase representative of deliberate targeting or just continued operations as usual, pursuing vulnerable targets of opportunity and exploiting frequent weaknesses in health organization networks. Healthcare organizations make attractive targets for ransomware groups due to the sensitivity and value of Personal Identifiable Information and Protected Health Information, which both increase extortive leverage over victims and the value of data for sale to other actors should the victim not pay.
More than perhaps any other group, Alphv has exhibited a particularly aggressive approach to public statements, routinely ridiculing victims and their associated incident responders and calling out alleged security shortcomings, which is likely intended as much as a coercive lever and ‘final warning’ to the victims as it is a signal to future victims of the consequences of non-compliance.
The next comment is from Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber:
The BlackCat group claimed Change Healthcare as a victim, and the company confirmed that cybercriminal actors are behind a recent cybersecurity incident, changing course from a previous statement that blamed nation-state hackers for the attack.
U.S. authorities announced they disrupted BlackCat’s operations late last year, but the group has recently returned to claiming attacks against new victims. A confirmed attack against a major healthcare organization would be the strongest indication that the ransomware group has resumed its activities.
BlackCat was the second most active ransomware gang in terms of claimed victims last year, threatening organizations in virtually every primary sector. December’s disruption operation may have temporarily or partially changed the group’s operational ability, but defenders across the community should note a confirmed return.
This continues a troubling trend of health care organizations being pwned in cyberattacks because they’re low hanging fruit for threat actors. This needs to change and it needs to change now.
Related
This entry was posted on February 29, 2024 at 12:58 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
BlackCat Confirmed As Pwning UnitedHealth’s Tech Unit
A Reuters report has popped onto my radar where it details that UnitedHealth’s tech unit Change Healthcare has been pwned by the BlackCat ransomware group. And the company confirms this. Which effectively confirms this story that I recently wrote:
UnitedHealth Group said on Thursday the cyberattack at its tech unit, Change Healthcare, was perpetrated by hackers who identified themselves as the “Blackcat” ransomware group.
The statement confirms a Reuters report on Monday. UnitedHealth had initially blamed a “suspected nation-state associated cybersecurity threat actor” for the disruption.
The hack, disclosed last Wednesday, has had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.
The company said its experts were working with law enforcement authorities and third-party consultants to gauge the impact on its customers and patients.
“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” UnitedHealth said.
In a message posted on its darknet site, which was quickly deleted, the group known as “Blackcat” or “ALPHV” said on Wednesday it stole millions of sensitive records, including medical insurance and health data, from the company.
I have two comments on this story. Starting with Nic Finn, Senior Threat Intelligence Consultant at GuidePoint Security:
Following December’s law enforcement disruption of their data leak site, Alphv, also known as BlackCat, has vowed increasingly aggressive actions and removed ostensible restrictions on targeting critical infrastructure and healthcare.
While Alphv may have notionally prohibited targeting such organizations in the past, the group has been actively attacking healthcare organizations for a while now, with several large healthcare providers and networks impacted in 2023. Of the attacks impacting healthcare we observed in 2023, Alphv was responsible for nearly 10%, second only to LockBit.
While we have seen several healthcare organizations impacted by Alphv in 2024, it remains to be seen whether this is an intentional increase representative of deliberate targeting or just continued operations as usual, pursuing vulnerable targets of opportunity and exploiting frequent weaknesses in health organization networks. Healthcare organizations make attractive targets for ransomware groups due to the sensitivity and value of Personal Identifiable Information and Protected Health Information, which both increase extortive leverage over victims and the value of data for sale to other actors should the victim not pay.
More than perhaps any other group, Alphv has exhibited a particularly aggressive approach to public statements, routinely ridiculing victims and their associated incident responders and calling out alleged security shortcomings, which is likely intended as much as a coercive lever and ‘final warning’ to the victims as it is a signal to future victims of the consequences of non-compliance.
The next comment is from Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber:
The BlackCat group claimed Change Healthcare as a victim, and the company confirmed that cybercriminal actors are behind a recent cybersecurity incident, changing course from a previous statement that blamed nation-state hackers for the attack.
U.S. authorities announced they disrupted BlackCat’s operations late last year, but the group has recently returned to claiming attacks against new victims. A confirmed attack against a major healthcare organization would be the strongest indication that the ransomware group has resumed its activities.
BlackCat was the second most active ransomware gang in terms of claimed victims last year, threatening organizations in virtually every primary sector. December’s disruption operation may have temporarily or partially changed the group’s operational ability, but defenders across the community should note a confirmed return.
This continues a troubling trend of health care organizations being pwned in cyberattacks because they’re low hanging fruit for threat actors. This needs to change and it needs to change now.
Share this:
Like this:
Related
This entry was posted on February 29, 2024 at 12:58 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.