Change Healthcare Systems Paid $22 Mn Ransom to Hackers’ Group ‘BlackCat’

A cryptocurrency account that was already mapped to the BlackCat group received a single transaction worth approx $22 million on March 1, security researchers noted on social media.

Two weeks after one of the major cybersecurity attacks on Change Healthcare that crippled health systems in the US, multiple reports suggest that a ransom of $22 million was paid to the hacker’s group BlackCat.

Reportedly, the payment was made in cryptocurrency in exchange for regaining access to its systems and data.

The cybercriminal group, also known as ALPHV had claimed responsibility for the ransomware attack against Change Healthcare.

It also claimed to have stolen six terabytes of data from Change Healthcare systems including medical data of patients as well as social security numbers. Further, it had threatened to leak the data in case the ransom was not paid.

Report Claims Ransom Paid in Bitcoin

According to Krebonsecurity, a post on an online Russian language forum RAMP - popular with hackers- claimed that Change Healthcare had paid a $22 million ransom for a decryption key to regain access to its data.

Several security researchers took to social media to reveal the evidence of the alleged transaction. A cryptocurrency account that was already mapped to the BlackCat group received a single transaction worth approximately $22 million on March 1, Krebonsecurity reported.

Both UnitedHealthcare and BlackCat have remained tight-lipped on the claims of payment of a $22 million ransom. However, Change Healthcare has responded to media queries of several outlets saying that it is focused on the investigation and restoration of its services.

BlackCat Group Shuts Down Servers

After the post went online on the forum, it was reported that BlackCat had shut down its servers and ransomware sites.

Reportedly, the website now features seizure notices by the feds.

However, researchers believe BlackCat might have done this to avoid paying commissions to its affiliates who carried out the ransomware attack on Change Healthcare.

Ransomware groups often employ freelance affiliates to carry out large-scale cybersecurity attacks. These affiliates are then paid a pre-determined percentage of the ransom as a commission. The commission can range from 60% to 90%.

The post on RAMP, made by one such disgruntled affiliate claims that even though Change Healthcare has paid ransom to BlackCat, the data is still with affiliates who helped carry out the attack.

Health Systems Struggle to Get Back to Normal

Meanwhile, the cybersecurity attack on Change Healthcare system and the resulting outage of services has created multiple challenges for its clients including healthcare systems, pharmacies, and even individual healthcare providers.

The cybersecurity assault on Change Healthcare, a unit of UnitedHealth Group’s Optum subsidiary, was discovered on February 21.

The cyberattack has primarily affected the following areas:

· Prior authorizations for pharmaceuticals, procedures, and surgeries

· Insurance verification for inpatient stays

· Precise cost estimates for patients

· Patient billing

Hospitals are having issues with processing claims, billing patients, and checking insurance coverage for care. It said the attack also could affect the ability to pay workers and buy medicine and supplies.

The attack led to delays in the delivery of prescription drugs and prevented some US-based pharmacies, hospitals, and other healthcare facilities from processing claims and receiving payments.

The American Medical Association on Monday asked the Biden administration to make emergency funds available to physicians hurt by the outage. The FBI has taken up the matter and is now investigating the attack actively.