UPDATE: Change Healthcare Incident
Ransomware,Scams
May 2, 2024
The NJCCIC previously reported on the ransomware attack against Change Healthcare, one of the largest healthcare technology companies in the United States. This cyberattack showcases the cascading ramifications of ransomware incidents, including financial impacts and risks of paying ransom demands.
Financial Impacts:
The ransomware attack caused considerable impacts, including disruptions to payment processing, prescription writing, and insurance claims. UnitedHealth, the parent company of Change Healthcare, disclosed that the incident has cost the company approximately $872 million so far. According to the American Hospital Association (AHA), about 94 percent of US hospitals reported damage to cash flow due to the incident, with over 50 percent reporting severe or significant financial damage, largely due to the inability to process claims.
Initial Attack Vector:
In Change Healthcare CEO Andrew Witty’s written testimony for the House Energy and Commerce subcommittee hearing, Witty states that the BlackCat ransomware group breached Change Healthcare’s network via stolen credentials that were used to log into the company’s Citrix remote access service. It is believed that the credentials were obtained via information-stealing malware. The account did not have multi-factor authentication enabled, a security failure at odds with standard industry best practices.
Risks of Paying Ransom Demands:
In early March, Change Healthcare reportedly paid a $22 million ransom demand to the cybercriminals behind the attack; however, the BlackCat ransomware operators failed to pay the ransomware affiliate, known as “Notchy.” The affiliate refused to delete the four terabytes of data they stole from Change Healthcare, which includes personally identifiable information and protected health information. In early April, the cybercriminals threatened to sell or release the data unless an additional ransom payment was made. UnitedHealth was removed from the ransomware group’s leak site, indicating the company may have paid the second ransom demand.
For any further questions, contact us here at Cyber Command.