The unprecedented cyberattack on healthcare giant Change Healthcare has taken a chaotic turn, with allegations that the prolific BlackCat ransomware gang conducted an "exit scam"—shutting down operations after receiving a $22 million ransom payment from the company without paying their own affiliate hacker.
According to a report from Menlo Security, the affiliate involved in the actual ransomware deployment against Change Healthcare's systems is a criminal hacker operating under the alias "notchy." This individual is now threatening to sell or leak the 4TB trove of sensitive U.S. healthcare data they claim to have exfiltrated during the attack.
As Menlo stated, "The compromised information encompasses a wide array of personal and medical details, notably including data from critical national healthcare programs such as Medicare and TRICARE."
The report alleges that after Change Healthcare paid the $22 million ransom demand, the BlackCat/ALPHV ransomware gang abruptly shut down its operations and made off with the payment, leaving notchy unpaid and seeking revenge.
"Notchy responded on March 05, 2024 03:32 AM UTC '@ransom stop blaming the feds. No one is idiot here to believe what you have said. return what you have stole and be a man with dignity,'" the report quotes from Dark Web forums.
While unconfirmed, Menlo Security provided analysis tracing notchy's activities back years across various criminal hacking forums, speculating there is a "high probability" of links to Chinese state-sponsored cyber groups based on certain tactics. The report alleges notchy was actively seeking to acquire ransomware capabilities like Cobalt Strike as early as 2021.
"This appears to be a classic exit scam," cybersecurity analysts told Menlo. "In such a scam, perpetrators feign operational shutdown, covertly misappropriate their collaborators' funds, and potentially re-emerge under a different guise."
The infighting and threats have authorities and hospitals on high alert over the risk that the massive cache of Americans' medical data could be indiscriminately released or sold to other cybercriminal groups on the Dark Web for further exploitation.
"Mitigating the fallout of the compromised information should be a top priority, as this is rumored to affect the majority of not only civilians but also federal and military personnel," Menlo warned.
Change Healthcare has remained tight-lipped on the BlackCat allegations while working feverishly to restore systems, likely balancing data preservation for investigation with recovery operations.
As healthcare providers plead for federal financial intervention, this explosive development injects even more turmoil into an already dire situation—underlining both the cyber vulnerabilities facing healthcare and the unpredictable human factors that can dramatically escalate ransomware incidents.
Follow SecureWorld News for more stories related to cybersecurity.
