For months, Change Healthcare has been dealing with an extremely chaotic, months-long ransomware debacle that has left hundreds of pharmacies and doctor’s offices across the United States unable to process claims. Things may have gotten a lot more chaotic thanks to an apparent dispute within the criminal ransomware ecosystem.
Last month, ransomware group AlphV, which had claimed to have encrypted Change Healthcare’s network and threatened to expose reams of the company’s sensitive healthcare data, received a $22 million payment – a publicly disclosed on the Bitcoin Blockchain-captured evidence that Change Healthcare had most likely given in to its tormentors’ ransom demands, although the company has not yet confirmed payment. But in a new definition of a worst-case ransomware, a different The ransomware group claims to be in possession of Change Healthcare’s stolen data and is demanding its own payment.
Since Monday, RansomHub, a relatively new ransomware group, posted on its dark website that it had four terabytes of Change Healthcare’s stolen data and threatened to sell it to the “highest bidder” unless Change Healthcare paid an unspecified ransom paid. RansomHub tells WIRED that it is not affiliated with AlphV and “cannot say” how much it is demanding in ransom.
RansomHub initially refused to publish or provide WIRED with sample data from this stolen treasure to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data sharing agreement for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later adopted its name.
While WIRED was unable to fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone who doubts that we have the data and for anyone who speculates about the criticality and sensitivity of the data, the images should be enough to show the scale and importance of the situation and the unrealistic and childish theories to clarify,” the RansomHub contact explains to WIRED in an email.
Change Healthcare did not immediately respond to WIRED’s request for comment on RansomHub’s extortion claim.
Brett Callow, a ransomware analyst at security firm Emsisoft, said he believes AlphV did not initially release data on the incident and the origin of RansomHub’s data is unclear. “I obviously don’t know if the data is real – it could come from somewhere else – but I also don’t see anything to suggest that it might not be authentic,” he says of the data shared by RansomHub.
Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and has Change HealthCare’s data” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, they are quickly “gaining momentum,” according to DiMaggio.
If RansomHub’s claims are true, that means that Change Healthcare’s already disastrous ransomware situation has become something of a cautionary tale about the dangers of trusting ransomware groups to keep their promises themselves after a ransom is paid. In March, someone calling himself “notchy” posted on a Russian cybercrime forum that AlphV had pocketed the $22 million payment and disappeared without sharing any commission with the “savvy” hackers who usually do so Ransomware groups work together and often penetrate victims’ networks on their behalf.