Kevin BeaumontHuge US healthcare provider Change Healthcare has a “cybersecurity incident” going on for 15 hours and has shut down systems. https://techcrunch.com/2024/02/21/change-healthcare-cyberattack/
For the first 7 hours they claimed it was just a network issue. Incident tracker: https://status.changehealthcare.com/incidents/hqpjz25fn3n7
As spotted by @zackwhittaker, Change Healthcare outage (still ongoing) is listed as suspected nation state threat actor in their 8-K filing.
In my experience it’s *extremely* rare to isolate the whole production network for nation state and espionage.. I don’t know what happened to trigger that here.
It’s over 48 hours since the Change Healthcare outage over a “cyber security issue” began.
I have heard they may have been deliberately wiped.
Reuters reports the Change Healthcare outage, which is still ongoing almost a week later, was not caused by a “nation state” as claimed by the victim - but it’s an AlphV ransomware incident. https://www.reuters.com/technology/cybersecurity/cyber-security-outage-change-healthcare-continues-sixth-straight-day-2024-02-26/
AlphV ransomware group have claimed the ongoing Change Healthcare incident which is causing problems across the US. #threatintel
The Change Healthcare incident is rumbling on. They’ve now acknowledged it is AlphV ransomware group, not a nation state as they prior claimed. https://techcrunch.com/2024/02/29/unitedhealth-change-healthcare-ransomware-alphv-blackcat-pharmacy-outages/
Since the Change Healthcare ransomware incident started several weeks ago, they've had a status page saying the incident will continue for 'the next day'.
Their COO has privately briefed orgs that will be "weeks" longer.
HT @brett for link
https://www.statnews.com/2024/02/29/change-healthcare-cyber-attack-outage-will-last-for-weeks/
AlphV ransomware group has received a $22m ransom payment, reportedly from Change Healthcare.
Rumours are AlphV has now scammed the ransomware affiliate and Change Healthcare, by stealing the ransom and exit scamming.
Downstream hospitals say they are losing around $100m a week due to the ongoing service outage.
https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/
AlphV’s new portal now says it has been seized by law enforcement - but it’s unclear if that’s actually true or if they’ve rug pulled.
Some good reporting here - the NCA, who are listed on the AlphV portal as being involved in a takedown - say they were not involved in a takedown.
We’ll see what the FBI says, but it looks like AlphV may well have done rug pull aka exit scam — stole their operator and affiliate’s money and left their victims without decryption.
For anybody wondering on the financial impact of the ongoing Change Healthcare ransomware incident (yes, obviously there’s also a big patient impact too):
https://therecord.media/cash-flow-disruptions-hospitals-change-healthcare
The bad news is I think ransomware groups will cause much bigger problems further down the line as they’re basically teenagers with rocket launchers inside critical infrastructure, blindly firing. They know governments worldwide are impotent.
$100 million a day? Cash flow disruptions roil healthcare industry after cyberattack
The economic impact of the Change Healthcare cyberattack continues to come into focus, with experts saying some large industry players — such as hospital and pharmacy networks — are facing disruptions costing upwards of $100 million a day.
Btw if anybody is wondering how Change Healthcare got breached, I have a draft IR report for their incident as somebody put it on a public sandbox - it’s just a standard ransomware incident. EquiLend’s IOCs are also publicly uploaded, same story.
International law enforcement all deny being behind the claimed AlphV takedown. So, exit scam confirmed.
One victim org has reached out to me asking how they contact AlphV as they still need to pay as part of claiming insurance. 💀
https://therecord.media/europol-doj-nca-deny-involvement-in-alphv-blackcat-ransomware-takedown
Europol, DOJ, NCA deny involvement in recent AlphV/BlackCat ‘shutdown’
Several of the law enforcement agencies involved in the takedown of one of the most prolific ransomware groups denied involvement in a new notice posted to the gang’s leak site — adding weight behind rumors from experts and cybercriminals that the group was attempting to carry out an elaborate exit scam.
At least 5 lawsuits have been filed over the Change Healthcare ransomware incident so far.
https://www.hipaajournal.com/multiple-class-action-lawsuits-change-healthcare-ransomware-attack/
Here's one of the court documents: https://www.scribd.com/document/711110045/UnitedHealth-Change-Health-proposed-class-action-lawsuit
The Change Heathcare ransomware incident is still going and is having profound implications for people and the healthcare industry across the US.
But for people who think this is an isolated incident, it isn’t - it’s been like this for several years where civil society is gradually being eroded by some gangs of often kids, from schools to councils to public services worldwide (except, er, Russia).
https://prospect.org/health/2024-03-11-change-unitedhealth-ransomware-pharmacies/
The White House has met with the CEO of Change Healthcare’s parent company, around the ongoing ransomware incident. https://www.reuters.com/world/us/white-house-summons-unitedhealth-ceo-over-hack-washington-post-reports-2024-03-12/
HT to @zackwhittaker, the US department of health has opened an investigation into Change Healthcare around if data exfiltration occurred.
It’s typically very easy to find out if data exfil happened as a third party as you can see large volumes of data transfer to VPS providers or cloud storage providers in ISP logs (which are sold onwards).
The Change Healthcare ransomware situation is still going on, almost a month later, with at least one downstream healthcare provider saying they have run out of money to pay staff. https://www.berkshireeagle.com/news/local/cyberattack-change-healthcare-united-ransomware-medical-insurance-payments-berkshire-allergy-care/article_a5547ef2-e302-11ee-9162-2b0ff10b145f.html
HT @brett
A major cyberattack has caused a Pittsfield medical practice to run out of money. Staff are continuing to treat patients
“After this week’s payroll, we’re going to be broke.” Dr. Thomas B. Edwards of Berkshire Allergy Care on South Street, speaking of the cyberattack that has rattled doctors' offices around
One of the largest nursing home operators in the U.S. has filed for bankruptcy citing the ongoing Change Healthcare ransomware incident as a cause.
They also got hit with ransomware themselves a few months prior.
The US government are offering $10m for information on the AlphV ransomware operator who attacked Change Healthcare https://www.reuters.com/technology/cybersecurity/us-offers-10-million-bounty-info-blackcat-hackers-who-hit-unitedhealth-2024-03-27/
Worth noting that when the incident began, the company involved refused to say #ransomware and instead claimed it was a nation state attack.
Ransomhub #ransomware group are claiming AlphV stole their money for Change Healthcare (this is believed to be true btw), and the operator has given them the data. So now they’re extorting Change Healthcare again. #threatintel
Ransomhub have provided Wired journalists with files from Change Healthcare - meaning they’re being held to ransom again. https://www.wired.com/story/change-healthcare-ransomhub-threat/
Ransomhub have dumped what they claim is some Change Healthcare sample data on their portal. Includes some patient data. #ransomware #threatintel
Change Healthcare have told investors they have so far taken a $872 million hit in dealing with their ongoing ransomware incident in the first two months, with the cost expected to rise to between $1350m-$1600m through the calendar year.
Shareholders don't appear to care as the stock is up 5% since the update.
https://www.theregister.com/2024/04/16/change_healthcares_ransomware_attack_has/
A Congress hearing about the Change Healthcare ransomware incident happened today - but nobody from the company bothered to attend. https://therecord.media/ransomware-unitedhealth-costs-billions-still-climbing
Markets react to UnitedHealth taking a $1600m hit for ongoing ransomware incident at Change Healthcare
Wall Street Journal has a leak from the Change Healthcare ransomware incident
- Initial entry was via a remote access system without MFA
- Dwell time was 9 days
- They paid the ransom, then got held to ransom again and had data leaked anyway
UnitedHealth says Change Healthcare ransomware threat actor stole health data on ‘substantial proportion of people in America’
Change Healthcare deal with the healthcare information of around half of Americans. https://techcrunch.com/2024/04/22/unitedhealth-change-healthcare-hackers-substantial-proportion-americans/ #threatintel #ransomware
Permacultureandpolitics@GossiTheDog this really screwed over veterans and VA contractors providing medical services to veterans, including small businesses and independent doctors.
Interpipes 💙
ErsatzLogic@GossiTheDog Sane people saw a senate hearing. The market saw an advertising segment.
@GossiTheDog Its cool that people all over get traumatized by their compliance audits and these assholes just skate by.
Graham Sutherland / Polynomial@GossiTheDog really puts "there's no such thing as bad publicity" in perspective. also the fact that the stock market is unhinged and completely detached from any notion of being a representation of a business' worth, finances, or operational status.
Laukidh@GossiTheDog I saw the Sarbanes quote and thought they had angered the SOX gods, but it seems the original was Paul not John
@GossiTheDog If they didn't subpoena anyone they are just going through the motions. Bring on the Hot Seat.
NetSec Kahn 
@GossiTheDog unbelievable
Coach Sankhavaram ®@GossiTheDog
What is the enterprise value of #cybersecurity if it can result in a billion-dollar-plus loss of shareholder value and the market doesn’t blink? 😬
UPDATE: has the market already priced in cyber breaches? 🤨
Sergio@GossiTheDog what a staggering amount of money lost and damage done!!
The Doctor@GossiTheDog The announcement drove the stock price down. That made the stock more attractive, so they bought. Demand up, price up.
VessOnSecurity@GossiTheDog Nobody ever gets these bounties... They are just for show.
Sergiu Gatlan@bontchev @GossiTheDog State Dept paid over $250 million since the program's launch in 1984 according to https://rewardsforjustice.net/about/program-overview/.
I'd be curious how much of it they have paid for info on ransomware gangs.
Nate!@GossiTheDog I'm not saying this wasn't part of the cause, but they were hundreds of millions in debt before either of these events happened...
Alan Miller @GossiTheDog @zackwhittaker sounds right, a slow trickle exfil could be missed easily but gives plenty of opportunity for IoC detection but rapid exfil may be as obvious as the bus in Speed (if anyone is watching)
jasonkarns@GossiTheDog not just the hackers but also the overall march towards centralization that creates these (often obscured) single points of failure.
i'm _almost_ glad this happened because of the potential lessons to be learned. though i'm not actually glad because of the real lives impacted :/
@GossiTheDog That's a great article.
Not mentioned in there, but I wouldn't be surprised if the only things that would have bigger impacts would be a comparable (and comparably handled) hit at Epic.
Jason Parker (he/they)@GossiTheDog I can't wait to see (read: facilitate) all the lawsuits that get filed over all of my court vulnerabilities.
Also s/o @zackwhittaker for being the first to publish any substantial reporting on both this Change Healthcare stuff and on my stuff.
Josh 
@GossiTheDog no honour amongst thieves i guess
Sterling Hammer 
@GossiTheDog One part I haven't gotten about all this is did they actually unlock the ransomed data? Or did they take the money and run leaving it all still inaccessible? Its possible I may have missed it somewhere.
FL | エフル
grey
Brian Clark@GossiTheDog are you willing to share these on a TLP:RED basis?
Tracy Reed@GossiTheDog I would love to read that.
petrichor@GossiTheDog I would like to take a look at that report. Do you have a link? Thanks in advance!
executemalware@GossiTheDog
Would it be possible to check your Twitter DMs? Thanks!
Would it be possible to check your Twitter DMs? Thanks!
Lowlands@GossiTheDog I know I am wondering! If you can find a way to share I would love to learn more!
@GossiTheDog Can you email to me?
Chris Plummer@GossiTheDog As it resides in a public place, do all of healthcare a solid Kevin and share the resource please.
losttroll@GossiTheDog is this the one?
0x4d6165 (Julie or Mae)@GossiTheDog maybe some teenagers with rocket launchers is what the industry needs to actually lock their shit down
LisPi@GossiTheDog Honestly I think that's giving corposcum and feds way too much credit.
If the infrastructure wasn't so laughably fragile you couldn't get it to collapse by giving it a sharp kick.
If the infrastructure wasn't so laughably fragile you couldn't get it to collapse by giving it a sharp kick.
Jay Little@GossiTheDog Screw them for paying the ransom. Even though this is personally affecting my wife and I, I can't help but to laugh at one criminal group exit scamming the other and seeing the second group whine about it.
Ryan Clough 
@GossiTheDog Disappointing if true. Lots of correlative speculation, but given the ongoing impact I wouldn't be surprised at all if they caved.
@GossiTheDog If the losses are $100m a week, a one-time payment of $22m seems like a good deal.
Now imagine if ransom payments were illegal. Their only choice would be either to break the law or to keep losing $100m a week.
(Also, one ransmware group less is actually good news. It was a very prolific one.)