Share this article on:
A second ransomware group is threatening to publish data belonging to UnitedHealth that it says was obtained from the same attack that has long been attributed to ALPHV.
As observed by Cyber Daily, RansomHub listed UnitedHealth subsidiary Change Healthcare on its dark web leak site, explaining that it was in possession of four terabytes of company data.
“ALPHV stole the ransom payment (22 million USD) that Change Healthcare and UnitedHealth payed in order to restore their systems and prevent the data leak,” it said.
“HOWEVER we have the data and not ALPHV.”
For context, ALPHV took responsibility for the Change Healthcare attack when it happened and was then paid US$22 million by UnitedHealth in ransom payments. However, instead of restoring systems, ALPHV pocketed the money, and the affiliate that launched the attack was left without any money, meaning UnitedHealth’s systems remained encrypted, and stolen data was not destroyed.
RansomHub said the four terabytes of data it has contains highly sensitive information related to “Change Healthcare clients that have sensitive data being processed by the company”, such as:
Within the data, stolen information includes medical records, dental records, payment information, claims information, over 3,000 source code files for Change Health solutions, insurance records, the personally identifiable information of both patients and active US military and navy personnel such as phone numbers, addresses, social security numbers, emails and much more.
“Change Healthcare and UnitedHealth, you have one chance in protecting your clients data,” added RansomHub.
“The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.
“In the event you fail to reach a deal, the data will be up for sale to the highest bidder here.”
It is currently unclear as to how RansomHub obtained the data from the now-defunct ALPHV or its affiliate.
While unconfirmed, it could be that the affiliate, Notchy, went to RansomHub with the stolen data and utilised the group for negotiation purposes, seeing as they were unable to attain ransom funds through ALPHV. This is pure speculation and is completely unverified.
Notchy’s identity has been questioned since the UnitedHealth incident, with some theorising that they are Chinese state-sponsored hacker.
UnitedHealth first identified the hacker behind the attack as being a state-sponsored actor before ALPHV demanded credit for the breach. Additionally, Menlo Security said it has discovered evidence that the responsible affiliate, “Notchy”, has ties to the Chinese government.
“The team has uncovered evidence that points to Notchy possibly being tied to China and this being a state-sponsored attack, and that Notchy possibly used SmartScreen Killer and/or the latest version of Cobalt Strike in their attack against Change Healthcare,” it said.
Additionally, the US State Department is now offering a US$10 million reward for information on ALPHV, specifically “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”, according to a State Department press release.