Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Change Healthcare Finally Admits It Paid Ransomware Hackers (wired.com) 29

Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would "cover a substantial proportion of people in America."

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

This discussion has been archived. No new comments can be posted.

Change Healthcare Finally Admits It Paid Ransomware Hackers

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Tuesday April 23, 2024 @07:12PM (#64419440)

    I am shocked. SHOCKED!

    Good thing I was sitting down...

  • The data got sold anyways. Not just to the highest bidder. To literally anyone willing to pay for it. Once the data is in the wild, you can forget about “getting it back”. FFS it’s not like a diamond necklace that can be “returned”. What century do these people live in?

    By paying the ransom, all they did was paint a big sign on their back saying “I’m vulnerable, I’m naive, I don’t understand how basic computers work let alone the internet, and I
    • I'm a bit concerned that we are now using the term "ransomware" to include situations where data have been exfiltrated. It used to only mean that the data were encrypted in place, and the ransom was for the decryption key (which you still can't trust, btw. How do you know that the data weren't altered during the encryption or decryption process?).

      A case where data are exfiltrated is more properly referred to as a breach.

      Are we just being sloppy with language, or does calling it ransomware give companies cov

      • by gweihir ( 88907 )

        "Ransomware" already includes a "breach" (or how else did the malware get in?), hence the wording is entirely correct.

        Are we just being sloppy with language, or does calling it ransomware give companies cover to avoid penalties and responsibilities associated with breaches?

        Neither. What allows the ones responsible for bad IT security and bad BCM/DR preparation and, worse, paying ransom, to walk away is US law.

  • by KiloByte ( 825081 ) on Tuesday April 23, 2024 @07:22PM (#64419452)

    Even after giving a cut to affiliate groups that helped, $22M can be used to murder quite a few Ukrainians. Because, while in the past their criminals used to be somewhat independent, after the full-scale war erupted, most of these bastards went under semi-official employ of the government.

  • by battingly ( 5065477 ) on Tuesday April 23, 2024 @07:26PM (#64419460)
    There needs to be a law against paying the ransom like this. This payday will attract ever more attacks. The only defense is to take away the profit motive. That will incentivize institutions to improve their security.
    • We would end up with more cyber fuck-ups being deemed Too Big To Fail at taxpayer expense, along with Government-mandated corporate cyber-insurance, taken right out of your paycheck in taxes if we follow your illegal lead.

      Be careful what you ask for. Not like we’re suddenly going to start punishing Greed N. Corruption, CEO.

      • So you are promoting a plan of more of the same. No. Paying any extortion or blackmail should be the end of the Corporation as a legal entity.

        Sure it would be tough even after such a law could ever be passed, until the first corporation is no more, then it will simply be the law not to negotiate.

        Today's teachings are all about tolerance, but when it comes to burdens to society there should be NO tolerance. That is why we are currently where we are when it comes to crime.
        • So you are promoting a plan of more of the same. No. Paying any extortion or blackmail should be the end of the Corporation as a legal entity.

          Oh no. I was more promoting a more likely reality that could be far fucking worse. Government mandated cyber insurance taken from your paycheck at the Federal level, while they manufacture a CyberThreatCon annual loss cost to be adjusted quarterly and taxed for next year, pre-paid? Just imagine how many “foreign” APTs you would find working at three-letter agencies on behalf of the Donor Class funding them. Imagine how quickly cyber-taxes would rise. As I said, Federal law mandating illegal

      • It doesn't matter how painful, no ransom should be paid. That is the ONLY way to take away the main motive to attack.

        That said, it doesn't mean security isn't just as important, because attacks can also be motivated by politics or just mischief as well.

        I would be one who supports laws preventing such payments. And no bailouts either- the corporation should be allowed to fail and all the stockholders will get shafted. And that is the other deterrence- pay now for security and make it count, lest you run t

    • Uh, paying the ransom is illegal, but much like antitrust law, our government seems to be completely incompetent at actual enforcement.

      • Uh, paying the ransom is illegal, but much like antitrust law, our government seems to be completely incompetent at actual enforcement.

        No, paying ransom is not illegal. There are OFAC restrictions on who you can pay ransom to, but that almost never applies to ransomware attacks.

        • I don't think that's true... not in every state at least, however, critically, this was not a ransomware attack. It is being mischaracterized as such, but it's actually just regular old espionage and extortion. Both of those things are a crime, and it's also a crime not to report them, as it is a crime to comply with the demands.

          • by gweihir ( 88907 )

            Where do you get that from? All the signs like interruption of services and outages are there. Service restoration is still in progress. THis clearly was a Ransomware attack with additional data exfiltration.

    • by gweihir ( 88907 )

      Indeed. And we absolutely need at least large enterprises to finally have good IT security. With _personal_ consequences for screwing up.

    • There is another solution. No director bonuses, and a complete board spill at the next AGM. And emails to the chief security head published where there are mentions of cost cutting, meeting budget, or being over-ruled.
  • by ukoda ( 537183 ) on Tuesday April 23, 2024 @07:38PM (#64419486) Homepage
    Here, not in the USA, one of our government run hospitals was victim of a ransomware attack a couple years ago. It was a major pain recovering the data and bringing it back online. No ransom was paid. It goes against our principles and also have you every tried to get the government to pay you for anything? I'm pretty sue the ransomware gang were not approved health care service provider so there would have been no procedural option to pay them, and governments do like procedures and paperwork.

    I'm not aware of any further attacks, why bother when you know you are not going to get paid?

    And we now have news that USA healthcare providers will pay up, so guess which country ransomware operators are now going to focus on?
  • Disconnect sensitive stuff from the interwebs. On classified networks, we run on the same physical Internet backbone. But it's highly encrypted and not logically addressable from the interwebs. Healthcare, industrial systems, utilities should all be disconnected.
    • by ls671 ( 1122017 )

      On classified networks, we run on the same physical Internet backbone. But it's highly encrypted and not logically addressable from the interwebs.

      Sound to me like you are challenging ransomware gangs to test that out for you. A little like me saying "I run everything in vms so I am fully protected" forgetting hypervisors can be hacked.

  • Change Healthcare is part of United HealthGroup. They are changing absolutely nothing, aside from of course increasing revenue for health care executives. The entire industry is morally bankrupt and deserves this and much worse. Unfortunately we the consumers are the ones who will ultimately pay the cost of this.
  • Dane-geld
    A.D. 980-1016

    IT IS always a temptation to an armed and agile nation
    To call upon a neighbour and to say: â"
    "We invaded you last night â" we are quite prepared to fight,
    Unless you pay us cash to go away."

    And that is called asking for Dane-geld,
    And the people who ask it explain
    That you've only to pay 'em the Dane-geld
    And then you'll get rid of the Dane!

    It is always a temptation for a rich and lazy nation

  • If idiots like this actually locked down systems ( offshoring makes it easy to crack these ), OR refused to pay, then these nations/groups would stop. Butâ¦.

    Just like nations that trade prisoners or pay for others, makes their citizens easy targets.
  • Ransomware works because too many greedy assholes are not prepared, pay and then make this attack profitable. Hence attackers can upgrade, get more and better people and tools and make the problem even worse.

    It is high time that the assholes responsible for bad IT security and missing or bad BCM and DR preparation at these companies are held responsible _personally_. It is also high time that paying ransom gets classified as financing crime (and hence a criminal act), because it clearly is.

  • I think that often companies look at the cost of effective cybersecurity vs the cost of paying ransoms. The latter is likely much cheaper. Look at this case, effective ongoing security is probably a lot more than the $22 million they've paid out (once, over ?? years?). It's not necessarily that they are 'idiots' that don't know how to secure their systems, but its simply cheaper not too.

    We need a way to make it more expensive for them not to run effective security (e.g. personal responsibility, with gaol t

  • 1000% of the ransom paid. Problem will be fixed FUCKING TOOT SWEET!

Your own mileage may vary.

Working...