That affiliate hacker also wrote that in their penetration of Change Healthcare’s network, they had accessed the data of numerous other health care firms partnered with the company. If that claim is accurate, Recorded Future’s Smilyanets points out, it creates the additional risk that the affiliate hacker still possesses sensitive medical information. Even if Change Healthcare did pay AlphV, the hacker affiliate could still demand additional payment or leak the data independently.
“The affiliates still have this data, and they’re mad they didn’t receive this money,” says Smilyanets. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
As ransomware payments go, $22 million would represent a remarkably profitable score for AlphV. Only a relatively small number of ransoms in the history of ransomware, such as the $40 million payment made by the financial firm CNA to the hackers known as Evil Corp, have been so large, says Emsisoft’s Callow. “It’s not without precedent, but it’s certainly very unusual,” he says.
Regardless of whether Change Healthcare is confirmed to have paid that ransom, the attack shows that AlphV has pulled off a disturbing comeback: In December, it was the target of an FBI operation that seized its dark web sites and released decryption keys that foiled its attacks on hundreds of victims. Just two months later, it carried out the cyberattack that paralyzed Change Healthcare, triggering an outage whose effects on pharmacies and their patients have now stretched well beyond a week. As of last Tuesday, AlphV listed 28 companies on the dark web site it uses to extort its victims, not including Change Healthcare.
That site has now gone offline. As of Tuesday morning, it displayed what appeared to be a law enforcement seizure notice, but security researcher Fabian Wosar points out that the notice seems to have been copied from AlphV’s last takedown. The reason for the group’s disappearance—whether due to another law enforcement operation or AlphV’s attempts to dodge its own cheated affiliates—is unclear. Ransomware trackers say AlphV has disappeared and rebranded several times before. Earlier incarnations under the name BlackCat, BlackMatter, and Darkside were all more or less the same group, security researchers note.
In fact, the hackers working under that Darkside handle were responsible for the 2021 Colonial Pipeline ransomware attack that triggered the shutdown of gas transportation across the Eastern Seaboard of the US and resulted in a brief fuel shortage in some East Coast cities. In that case, too, the victims paid the hackers’ ransom. “It was the hardest decision I’ve made,” Colonial’s CEO Joseph Blount later told a US congressional hearing.
Now, it seems, some of the same hackers may have forced yet another company to make that same hard decision.
Update 3/4/2024, 1:50 pm EST: Included additional contextual details about AlphV and related ransomware attacks.
Updated 3/5/2024, 10:30 am EST to note that AlphV’s dark web site now displays what appears to be a law enforcement takedown message.