Change Healthcare Finally Admits It Paid Ransomware Hackers (wired.com) 29
Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. "A ransom was paid as part of the company's commitment to do all it could to protect patient data from disclosure," the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would "cover a substantial proportion of people in America."
Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.
Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.
Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.
Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack -- and the profit AlphV extracted from it -- will lead ransomware gangs to further target health care companies. "It 100 percent encourages other actors to target health care organizations," Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. "And it's one of the industries we don't want ransomware actors to target -- especially when it affects hospitals." Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.
Wow, so you can't trust blackmailers? (Score:4, Funny)
I am shocked. SHOCKED!
Good thing I was sitting down...
They dont get it (Score:2)
By paying the ransom, all they did was paint a big sign on their back saying “I’m vulnerable, I’m naive, I don’t understand how basic computers work let alone the internet, and I
Re: (Score:1)
I'm a bit concerned that we are now using the term "ransomware" to include situations where data have been exfiltrated. It used to only mean that the data were encrypted in place, and the ransom was for the decryption key (which you still can't trust, btw. How do you know that the data weren't altered during the encryption or decryption process?).
A case where data are exfiltrated is more properly referred to as a breach.
Are we just being sloppy with language, or does calling it ransomware give companies cov
Re: (Score:2)
"Ransomware" already includes a "breach" (or how else did the malware get in?), hence the wording is entirely correct.
Are we just being sloppy with language, or does calling it ransomware give companies cover to avoid penalties and responsibilities associated with breaches?
Neither. What allows the ones responsible for bad IT security and bad BCM/DR preparation and, worse, paying ransom, to walk away is US law.
Re: (Score:2)
Opps. The line in the middle should have been quoted.
$22M for the Special Military Operation (Score:3)
Even after giving a cut to affiliate groups that helped, $22M can be used to murder quite a few Ukrainians. Because, while in the past their criminals used to be somewhat independent, after the full-scale war erupted, most of these bastards went under semi-official employ of the government.
Paying the ransom should be illegal (Score:4, Insightful)
Illegal, has a steep price. (Score:2)
We would end up with more cyber fuck-ups being deemed Too Big To Fail at taxpayer expense, along with Government-mandated corporate cyber-insurance, taken right out of your paycheck in taxes if we follow your illegal lead.
Be careful what you ask for. Not like we’re suddenly going to start punishing Greed N. Corruption, CEO.
Re: (Score:3)
Sure it would be tough even after such a law could ever be passed, until the first corporation is no more, then it will simply be the law not to negotiate.
Today's teachings are all about tolerance, but when it comes to burdens to society there should be NO tolerance. That is why we are currently where we are when it comes to crime.
Re: (Score:2)
So you are promoting a plan of more of the same. No. Paying any extortion or blackmail should be the end of the Corporation as a legal entity.
Oh no. I was more promoting a more likely reality that could be far fucking worse. Government mandated cyber insurance taken from your paycheck at the Federal level, while they manufacture a CyberThreatCon annual loss cost to be adjusted quarterly and taxed for next year, pre-paid? Just imagine how many “foreign” APTs you would find working at three-letter agencies on behalf of the Donor Class funding them. Imagine how quickly cyber-taxes would rise. As I said, Federal law mandating illegal
Re: (Score:3)
It doesn't matter how painful, no ransom should be paid. That is the ONLY way to take away the main motive to attack.
That said, it doesn't mean security isn't just as important, because attacks can also be motivated by politics or just mischief as well.
I would be one who supports laws preventing such payments. And no bailouts either- the corporation should be allowed to fail and all the stockholders will get shafted. And that is the other deterrence- pay now for security and make it count, lest you run t
Re: (Score:1)
Uh, paying the ransom is illegal, but much like antitrust law, our government seems to be completely incompetent at actual enforcement.
Re: (Score:2)
Uh, paying the ransom is illegal, but much like antitrust law, our government seems to be completely incompetent at actual enforcement.
No, paying ransom is not illegal. There are OFAC restrictions on who you can pay ransom to, but that almost never applies to ransomware attacks.
Re: (Score:1)
I don't think that's true... not in every state at least, however, critically, this was not a ransomware attack. It is being mischaracterized as such, but it's actually just regular old espionage and extortion. Both of those things are a crime, and it's also a crime not to report them, as it is a crime to comply with the demands.
Re: (Score:2)
Where do you get that from? All the signs like interruption of services and outages are there. Service restoration is still in progress. THis clearly was a Ransomware attack with additional data exfiltration.
Re: (Score:2)
Indeed. And we absolutely need at least large enterprises to finally have good IT security. With _personal_ consequences for screwing up.
Re: (Score:2)
The rest of the world thanks you (Score:3)
I'm not aware of any further attacks, why bother when you know you are not going to get paid?
And we now have news that USA healthcare providers will pay up, so guess which country ransomware operators are now going to focus on?
Why is sensitive stuff connected to the interwebs? (Score:1)
Re: (Score:2)
On classified networks, we run on the same physical Internet backbone. But it's highly encrypted and not logically addressable from the interwebs.
Sound to me like you are challenging ransomware gangs to test that out for you. A little like me saying "I run everything in vms so I am fully protected" forgetting hypervisors can be hacked.
No truth in naming there... (Score:3)
Never pay the Dane-geld (Score:1)
Dane-geld
A.D. 980-1016
IT IS always a temptation to an armed and agile nation
To call upon a neighbour and to say: â"
"We invaded you last night â" we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation
Obviously a number have (Score:2)
Just like nations that trade prisoners or pay for others, makes their citizens easy targets.
And they made the problem much worse (Score:2)
Ransomware works because too many greedy assholes are not prepared, pay and then make this attack profitable. Hence attackers can upgrade, get more and better people and tools and make the problem even worse.
It is high time that the assholes responsible for bad IT security and missing or bad BCM and DR preparation at these companies are held responsible _personally_. It is also high time that paying ransom gets classified as financing crime (and hence a criminal act), because it clearly is.
Cheaper to pay (Score:2)
I think that often companies look at the cost of effective cybersecurity vs the cost of paying ransoms. The latter is likely much cheaper. Look at this case, effective ongoing security is probably a lot more than the $22 million they've paid out (once, over ?? years?). It's not necessarily that they are 'idiots' that don't know how to secure their systems, but its simply cheaper not too.
We need a way to make it more expensive for them not to run effective security (e.g. personal responsibility, with gaol t
Fine the c suite and board (Score:1)