It was probably the strongest cyber attack on the US healthcare system to date: The ALPHV/BlackCat ransomware infected the insurer UnitedHealth and its technology service provider Change Healthcare. The result: prescriptions can only be redeemed and billed to a limited extent.

Recently, UnitedHealth, one of the largest insurers in the United States, fell victim to a ransomware attack. It affected hundreds of millions of people – more than any previous attack.

Specifically, the “ALPHV” ransomware gang, also known as BlackCat, managed to infect Change Healthcare’s servers. This is a subsidiary that UnitedHealth bought in 2022 for $8 billion.

Change manages the redemption of medication prescriptions and disbursements to pharmacies, approximately 15 billion prescriptions or $1.5 trillion annually. The company also operates platforms that help doctors and clinics with diagnoses, record patient feedback, schedule appointments and more.

The ALPHV attack knocked out 111 Change Healthcare services. Pharmacies were unable to submit payment claims to insurance companies, patients were unable to fill prescriptions, appointment calendars were canceled and more. Hundreds of millions of people were affected, directly or indirectly, primarily in the USA, but also Canada, Taiwan, New Zealand and other countries.

The US Department of Health quickly got involved. It coordinated the response of the various actors – doctors, clinics, insurance companies, pharmacies, associations – which probably prevented the worst. Still, Change Healthcare’s outage is costing U.S. healthcare providers an estimated $100 million a day, and many patients are missing out on necessary medications.

After all, Change Healthcare is currently ramping up the systems again. It expects to be able to process the recipes again from mid-March. Security experts suspect that UnitedHealth paid the ransom of 350 Bitcoin – currently a good $25 million. However, the company itself does not comment on this.

If prosecution remains fruitless

The ransomware gang behind this largest healthcare attack to date is not unknown. ALPHV/BlackCat is known from numerous spectacular attacks, for example on the Swiss asset manager Finaport, the Hamburg logistics company Oiltanking, the Ecuadorian capital Quito, the government of Carinthia and many others.

Just over a year ago, ALPHV ransomware was considered one of the biggest threats in cyberspace. The Russian hackers work with other predominantly Russian cybercriminals who act as “distributors” and smuggle the ransomware onto their victims’ systems. Nastyly, BlackCat not only encrypts the data to demand a ransom, but also threatens to publish sensitive data and DoS attacks. Experts therefore speak of “triple blackmail”.

In December of last year, the US Department of Justice managed to confiscate the BlackCat/ALPHV website. Through them, the gang coordinated their activities and published leaks. The hackers were briefly able to “deconfiscate” the site again, whereupon they posted a cartoon-like image of a black cat and announced that in retaliation they would lift all restrictions so that their “users” could also attack “critical infrastructure”. Two hours later, the Justice Department took over the site again.

The ministry speaks of a decisive blow. German, British, Danish, Australian and Spanish investigators were also involved in the investigation; However, their greatest success may have been securing the decryption keys, which enabled more than 500 victims of the ransomware gang to recover their data.

The hackers themselves remain at large. As long as they operate in the safe haven of Russia, which has cooperated less than ever with international prosecutors since the attack on Ukraine, they face little danger from Western investigators. Presumably, Russian intelligence will not only tolerate attacks on infrastructure in the West, but also condone or even support them.

Apparently ALPHV still got cold feet. After the hackers received a payment of 350 Bitcoins – the exact amount they had requested from UnitedHealth – their (new) darknet website indicated that it had been confiscated by the FBI and the British police. However, the two police authorities denied this, which is why Ars Technica assumes that the hackers are retiring.

Ransomware became inevitable

Either way, the world has to live with the fact that it is plagued by ransomware, and that the more important a digital infrastructure is, the more likely it is to become a target. With strong cybersecurity, this could just be a nuisance, like gnats in the summer, ideally even an early warning system that helps harden essential servers.

Services such as those provided by Change Healthcare – the redemption and billing of prescriptions – are crying out to be immunized against ransomware through a blockchain. Of course, this is too late for the patients and customers already affected. Although they look forward to the billing systems being put into operation soon, they still have to fear that their private data will end up on the dark web.


Leave a Reply