There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online. The cyberattack has disrupted prescription drug services nationwide for weeks. Change Healthcare reportedly paid the group a large sum to destroy sensitive materials that the crime gang cheated them on.
But what exactly happened in the BlackCat ransomware attack, and how can healthcare companies protect themselves in the future?
Here’s a timeline of what happened, what we know from the media, and what other companies can take away from the incident.
What is affiliate extortion, and how does it work?
According to Impact.com, affiliate marketing is a booming industry worth $17B as of 2023, but in 2020, it was found that nearly 10% of affiliate traffic was fake. Affiliate fraud occurs when scammers use malicious tactics to earn commission payouts from fake marketing programs. Similarly, affiliate extortion works in this manner. In the BlackCat ransomware attack, one fraudulent group collected sensitive information, and other groups could pay them to share information, furthering cases of fraud in particular industries.
- BlackCat is known as a “ransomware-as-service” collective
This means they rely on freelancers or affiliates to infect new networks with ransomware. Another way of explaining affiliate extortion is that those affiliates, in turn, earn commissions ranging from 60 to 90 percent of any ransom amount paid. If this amount is as high as $22M, that could mean a payout of $13M to another party involved. - Allegedly, BlackCat received a single transaction worth approximately $22 million
KrebsonSecurity reported that on March 3, 2024, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum stating that Change Healthcare had paid a $22 million ransom for a decryption key and to prevent four terabytes of stolen data from being published online.
It went on to report that the affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. It has yet to be confirmed. However, cybercrime researchers have linked the wallet payment of roughly 350 bitcoin or approximately $22.7 million, split equally across seven other accounts to a previous ALPHV (or BlackCat) operation. Meanwhile, this affiliate’s disclosure may have prompted Blackcat to cease its operations entirely. - Change Healthcare shut down critical healthcare services as company systems were taken offline.
In the third week of February, Change Healthcare began shutting down essential healthcare systems and taking them offline. It soon emerged that the company BlackCat was behind a ransomware attack, which disrupted the delivery of prescription drugs for hospitals and pharmacies for weeks nationwide.
They had stolen sensitive data that included Medicare and a host of other primary insurance and pharmacy networks. On the bright side, it appeared to be the final nail in the coffin for this company, infiltrated by the FBI and law enforcement in late December 2023. - BlackCat imploded and may have re-formed to increase affiliate commissions by as much as 90%
The ransomware group removed restrictions or discouragement against targeting hospitals and healthcare providers. However, a placate rep (Notchy) says the group was shutting down and had already found a buyer for its ransomware source code. The Blackcat website features a seizure notice from the FBI, and several researchers noted it’s merely cut and pasted from what they received likely in December. Some other sites like Cyberscoop also predict that this could instead lead to a rebrand of the ransomware software (DarkSide).
Final Thoughts: Could Pindrop have helped to prevent this attack, and how?
In this case, the FBI explained that BlackCat (aka AlphaV) gained initial access to the targeted system using compromised user credentials. The Center for Internet Security breaks down BlackCat’s technical details further in this article. Still, essentially, this origin enabled the group to disable security features within the victim’s network and then use several batch and PowerShell scripts to proceed with its infection.
By implementing multifactor authentication (MFA), the system significantly increases the difficulty for cybercriminals, such as those associated with groups like Blackcat, to access cloud servers where sensitive data is stored. This measure is crucial in defending against stolen credentials, often leaked through data breaches and then exploited for account reconnaissance and financial fraud, particularly in contact centers. Through its multifactor fraud detection solutions, Pindrop plays a key role in preventing fraudsters from successfully utilizing compromised information to perpetrate fraud, thereby protecting enterprises from malicious activities.
What you can do next
By incorporating voice biometrics, fraud detection, and MFA, organizations can significantly reduce their vulnerability to data breaches and enhance customer trust with a secure solution. Schedule a call with one of our cybersecurity experts in the healthcare sector to see how you can safeguard your company from fraud today.