Atlanta, Georgia: Change Healthcare, a major U.S. healthcare company, is facing a $22 million extortion payment to the BlackCat ransomware group amid a cyberattack that has disrupted prescription drug services across the nation. Reports suggest that BlackCat may not have held up their end of the deal, as they failed to pay a share of the ransom to the cybercriminal who claims to have provided access to Change Healthcare’s network, resulting in sensitive data still being in their possession.
The cyber intrusion at Change Healthcare started in the third week of February, causing critical healthcare services to be shut down. The attack, attributed to BlackCat, led to a disruption in the delivery of prescription drugs for hospitals and pharmacies for nearly two weeks. A recent transaction to a cryptocurrency address associated with BlackCat amounted to approximately $22 million, hinting at the ransom payment by Change Healthcare to prevent the release of stolen data.
BlackCat, known for its ransomware-as-a-service model, relies on affiliates to infect new networks with ransomware and earn commissions from ransom payments. An affiliate named “Notchy” claimed that despite receiving the $22 million payment from Change Healthcare, BlackCat failed to compensate them as promised. Moreover, the affiliate still holds sensitive data from Change Healthcare, including information from Medicare and other insurance and pharmacy networks.
As Change Healthcare neither confirmed nor denied the ransom payment, the company emphasized focusing on its investigation and restoring services. However, the situation took a turn when Notchy’s disclosure seemed to result in BlackCat announcing the cessation of its operations. This development followed an earlier intervention by law enforcement that led to the seizure of the BlackCat website and the provision of a decryption tool for victims.
Despite efforts to reorganize and increase affiliate commissions, BlackCat ultimately decided to shut down, indicating the sale of its ransomware source code. Observers noted the abrupt exit as an attempt to scam affiliates by withholding ransom payment commissions and closing down services abruptly. The group’s website now displays a seizure notice from the FBI, mirroring a past raid by authorities.
Fabian Wosar, a ransomware research expert, highlighted BlackCat’s actions as an exit scam aimed at affiliates. The group’s exit scam presents risks, including the potential leakage of stolen data by affiliates seeking further payment. Dmitry Smilyanets, a security researcher, warned of the dangers posed by BlackCat’s exit scam, cautioning against trusting criminals who may not honor their promises.
The demise of BlackCat comes on the heels of LockBit, another ransomware group that faced a crackdown by law enforcement agencies. Following the seizure of LockBit’s website by authorities, the group attempted to rebuild its reputation but ultimately lost credibility. Investigations revealed that LockBit had deceived victims by not deleting data after receiving ransom payments, emphasizing the perils of engaging with cybercriminals.
Public awareness regarding the risks associated with paying cybercriminals to delete stolen data is growing, with experts urging companies to reconsider such deals. These recent developments underscore the ongoing battle against ransomware threats and the importance of robust cybersecurity measures in safeguarding sensitive information.