AlphV’s Hit On Change Healthcare Strikes A Sour Note For Defenders

The damage ransomware operators inflict on critical infrastructure is on full display in the healthcare sector as Change Healthcare continues efforts to recover from a cyberattack that’s impacting services industrywide.

UnitedHealth Group said its healthcare IT platform, which connects hospitals and pharmacies with insurance providers, has been largely non-operational since the AlphV ransomware group intruded the company’s IT systems two weeks ago. UnitedHealth Group acquired Change for $13 billion in late 2022.

“It’s possibly the worst attack on U.S. infrastructure to date,” said Brett Callow, threat analyst at Emsisoft. “This affects the healthcare system at large. It’s a national problem whereas most incidents are localized.”

With Change’s systems down, health providers are unable to verify patients’ insurance coverage, process claims, provide cost estimates or receive payment from some payers.

Change’s recovery efforts remain underway. The company stood up and enabled a new instance of its Rx ePrescribing service for customers on Friday, but Change’s Clinical Exchange ePrescribing providers’ tools are still not operational, a company spokesperson said Friday.

“Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants Mandiant and Palo Alto Networks on this attack against Change Healthcare’s systems,” UnitedHealth Group said in a Friday update. 

With industrywide disruptions approaching the two-week mark, the White House’s National Security Council is considering how it can provide financial relief to hospitals that have been unable to process claims, Politico reported Sunday.

American Hospital Association President and CEO Rick Pollack described the cyberattack against Change as “the most serious incident of its kind leveled against a U.S. healthcare organization.”

Change “processes 15 billion healthcare transactions annually and touches 1 in every 3 patient records,” Pollack said Thursday in a statement.

Sector rife with ransomware

The devastation caused by the attack against Change are especially pronounced in an industry rife with ransomware attacks. To date, at least five hospital systems with 49 hospitals between them have been impacted by ransomware attacks this year, according to Callow.

AlphV’s involvement is a particularly sour development after a law enforcement action in December shut down the infrastructure of the ransomware group, also known as BlackCat.

Following the takedown, it emerged within hours and remained active, targeting and threatening new victims ever since.

The FBI on Friday said it’s aware of the ongoing incident impacting Change and is engaged with the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and other partners who are providing assistance. The agency declined to comment on anything related to AlphV.

AlphV is notorious for the scope of its reach, its high-profile victims, and the nearly $300 million in ransom payments it received as of September. AlphV is the second-most prolific ransomware as a service group in the world, according to the FBI and CISA.

LockBit, another ransomware as a service group that reestablished operations within days of a global law enforcement effort dismantled the group’s infrastructure, remains the most prolific criminal group in the field.

AlphV ramps up pressure on Change

AlphV listed Change on its data leak site on Thursday, the week following the initial attack, and claimed it stole more than 6 terabytes of data impacting multiple high-profile partners in the sector, according to activity observed and shared by threat hunters.

UnitedHealth Group declined to answer questions about how AlphV intruded Change’s systems, if the group made an extortion demand and how the company intends to respond. UnitedHealth Group said it detected unauthorized activity on its systems Feb. 21.

The impact of the attack against Change is more intense because AlphV hit a widely used tech vendor that’s intertwined throughout the healthcare industry. Much like the spree of exploits against the MOVEit file-transfer service last year, the knock-on attacks made possible by the initial intrusion are even more damaging.

“You have these somewhat obscure organizations that taking them out has a massive impact,” Callow said.

Yet, the recent disruption effort against AlphV wasn’t pointless, according to cybersecurity experts.

Law enforcement actions also gather intelligence on the criminals and their operations, which is used to bolster countermeasures against them, if they regroup, and others who remain active, Christopher Budd, director of Sophos X-Ops Threat Research, said via email.

“These criminals regroup, we know that and expect it. No one operation is going to make this problem stop: Cybercrime is crime, and it’s important to hold the same perspective on cybercriminals that we hold on traditional crooks,” Budd said.

Law enforcement disruptions act as a speed bump — useful and necessary to slow things down, but not enough to halt ransomware activity, according to Callow.

AlphV’s hit against Change and its seemingly undeterred power and capabilities underscores that.

“What has been done to date is not enough,” Callow said. “The ransomware problem is as bad now as it has ever been and I believe we desperately need to try new things.”