Share this article on:
The ALPHV (BlackCat) affiliate behind the Change Healthcare ransomware attack may be a Chinese state-sponsored threat actor, according to new reports.
Research conducted by browser security organisation Menlo Security has analysed both ALPHV and its affiliate, “Notchy”, responsible for the Change Healthcare saga. It has claimed to have uncovered evidence that suggests possible ties between it and the Chinese state.
This is a major accusation, suggesting that a Chinese government-connected entity launched an attack on one of the largest healthcare organisations in the US, yet despite this, Menlo Security is keeping its supposed evidence close to its chest.
“The research team has dug deeper into both BlackCat and its affiliate known as Notchy, who was responsible for the attack, and compiled a detailed timeline of recent activity on the dark web,” said a PR spokesperson in contact with Cyber Daily.
“Additionally, the team has uncovered evidence that points to Notchy possibly being tied to China and this being a state-sponsored attack, and that Notchy possibly used SmartScreen Killer and/or the latest version of Cobalt Strike in their attack against Change Healthcare.”
While the blog post made by Menlo Security also fails to detail exactly what evidence suggests Notchy is a Chinese state-sponsored actor, Menlo Security cyber security expert Ngoc Bui told Cyber Daily that Change Healthcare’s initial assessment of a state-sponsored actor may have been accurate.
“We assess that it is highly likely that Notchy is affiliated with a Chinese state-sponsored group. This belief is substantiated by two key pieces of evidence,” wrote Ngoc Bui.
“Firstly, UnitedHealth Group, including Change Healthcare, has reported a breach by what they ‘suspect to be a nation-state-associated cyber security threat actor.’
“Secondly, credible intelligence from a HUMINT source with firsthand knowledge of the situation supports this assessment.
“Due to the sensitive nature of this information and possible LAE investigations, we are currently unable to disclose further details at this time.”
The blog post adds that the accusations made by Menlo Security need additional information to verify their accuracy.
“The situation surrounding Change Healthcare has seen a significant shift, with the emerging BlackCat ransomware group scandal and suggestions of involvement by Chinese state-sponsored entities,” it said.
“However, these allegations of Chinese state-sponsored associations lack validation, and we are closely monitoring developments.
“While it’s plausible that the purported BlackCat affiliate is associated with a Chinese nation-state operation, arriving at a definitive conclusion necessitates substantial evidence from credible sources.”
Analysis of Notchy and ALPHV comes as the ransomware gang has reportedly faked a law enforcement seizure after pocketing $22 million in ransom payments generated by the Change Healthcare attack, a payment that was supposed to be passed on to Notchy.
“We are affiliate plus who has been work with ALPHV for long time and on 1st of March 2024 the victim Change Healthcare – OPTUM paid ALPHV 22M as ransom to prevent data leakage and [to access a] decryption key,” wrote Notchy.
“But after receiving the payment ALPHV team decide to suspend our account and kee[p] lying and delaying when we contacted ALPHV admin on TOX.
“He kept saying they are waiting for chief admin and the coder until today [when] they emptied the wallet and took all the money.”
ALPHV responded, saying it was throwing in the towel for good and that law enforcement was to blame. It also said it was selling its malware source code for $5 million.
“We decided to completely close the project, we can officially declare that the feds screwed us over,” it said in an email responding to the affected affiliate, who outed it for stealing $22 million.
“The source code will be sold, negotiations are already underway on this matter.”
Researchers quickly discovered evidence to suggest the seizure was fake and an exit strategy for the threat group. Additionally, law enforcement agencies listed on the seizure banner now displayed on ALPHV’s dark web leak site have confirmed no involvement.
Notchy has since responded, demanding that the group stop hiding behind a fake seizure and pay up.
“@ransom stop blaming the feds. No one is idiot here to believe what you have said. return what you have stole and be a man with dignity,” Notchy said.