Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Second ransomware group threatens UnitedHealth with data leak

A second ransomware group is threatening to publish data belonging to UnitedHealth that it says was obtained from the same attack that has long been attributed to ALPHV.

user icon Daniel Croft
Tue, 09 Apr 2024
Second ransomware group threatens UnitedHealth with data leak
expand image

As observed by Cyber Daily, RansomHub listed UnitedHealth subsidiary Change Healthcare on its dark web leak site, explaining that it was in possession of four terabytes of company data.

“ALPHV stole the ransom payment (22 million USD) that Change Healthcare and UnitedHealth payed in order to restore their systems and prevent the data leak,” it said.

“HOWEVER we have the data and not ALPHV.”

============
============

For context, ALPHV took responsibility for the Change Healthcare attack when it happened and was then paid US$22 million by UnitedHealth in ransom payments. However, instead of restoring systems, ALPHV pocketed the money, and the affiliate that launched the attack was left without any money, meaning UnitedHealth’s systems remained encrypted, and stolen data was not destroyed.

RansomHub said the four terabytes of data it has contains highly sensitive information related to “Change Healthcare clients that have sensitive data being processed by the company”, such as:

  • Medicare
  • Tricare
  • CVS-Caremark
  • Loomis
  • Davis Vision
  • Health Net
  • MetLife
  • Teachers Health Trust
  • Tens of insurance companies and others

Within the data, stolen information includes medical records, dental records, payment information, claims information, over 3,000 source code files for Change Health solutions, insurance records, the personally identifiable information of both patients and active US military and navy personnel such as phone numbers, addresses, social security numbers, emails and much more.

“Change Healthcare and UnitedHealth, you have one chance in protecting your clients data,” added RansomHub.

“The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.

“In the event you fail to reach a deal, the data will be up for sale to the highest bidder here.”

It is currently unclear as to how RansomHub obtained the data from the now-defunct ALPHV or its affiliate.

While unconfirmed, it could be that the affiliate, Notchy, went to RansomHub with the stolen data and utilised the group for negotiation purposes, seeing as they were unable to attain ransom funds through ALPHV. This is pure speculation and is completely unverified.

Notchy’s identity has been questioned since the UnitedHealth incident, with some theorising that they are Chinese state-sponsored hacker.

UnitedHealth first identified the hacker behind the attack as being a state-sponsored actor before ALPHV demanded credit for the breach. Additionally, Menlo Security said it has discovered evidence that the responsible affiliate, “Notchy”, has ties to the Chinese government.

“The team has uncovered evidence that points to Notchy possibly being tied to China and this being a state-sponsored attack, and that Notchy possibly used SmartScreen Killer and/or the latest version of Cobalt Strike in their attack against Change Healthcare,” it said.

Additionally, the US State Department is now offering a US$10 million reward for information on ALPHV, specifically “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”, according to a State Department press release.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.