Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
April 9, 2024
RansomHub, a relatively new ransomware group that emerged in early 2024, claims it has possession of Change Healthcare’s stolen data. In early March, ALPHV/Blackcat faked a law enforcement takedown to scam affiliates out of the $22M ransom payment for the Change Healthcare attack. The Bitcoin address associated with ALPHV received a $22 million transaction and shortly after that the group suspended their affiliates’ accounts and emptied the wallet.
Change Healthcare is responsible for processing insurance and billing for an estimated 50% of all medical claims in the U.S. and handles 15 billion transactions per year. Hospitals and pharmacy networks faced economic disruption costing $100 million per day.
The attack contributed to one of the largest nursing home operators, Petersen Health Care, filing for bankruptcy and caused some medical practices to run out of money. It hobbled U.S. healthcare so severely that the U.S. State Department is offering a $10 million bounty for information on ALPHV/Blackcat.
RansomHub alleges that ALPHV stole the payment that Change Healthcare forked over to restore their systems and prevent data leak. They claim to have over 4TB of sensitive data that pertains to Change Health partners, including Medicare, Tricare, CVS-CareMark, MetLife, and other high profile clients.
RansomHub is threatening to sell the data to the highest bidder if Change Healthcare doesn’t make a deal. This allegedly includes medical and dental records, payment and claims information, insurance records, patient names, addresses, social security numbers, and source code for 3,000 files, among other records.
It’s not clear whether RansomHub is the affiliate ALPHV scammed or if it’s a rebranding for their operations. Either way, it's an attempt to extort Change Healthcare for another ransom payment.
Smelly__vx, founder of vx-underground, speculates that ALPHV affiliates have simply moved to RansomHub after the exit scam.
RansomHub’s About page on their leak site states that the group has a global membership that is financially motivated. They exclude CIS, Cuba, North Korea, China, and non-profit organizations from their targets, and do not permit re-attacks for companies that have already made payments.
SOCRadar reports that their operations notably resemble a traditional Russian ransomware setup, based on their exclusion of Russian-affiliated nations and the overlap in targeted companies with other Russian ransomware groups. They have been recruiting affiliates from the Russian populated RAMP forum, and their site states their strains are ESXi rewritten in Golang.
RansomHub posted its first victim in February 2024, and continues naming new victims, with 17 claims to date. It operates with a RaaS model where affiliates receive 90% of ransom payments and 10% goes to the main group. SOCRadar noted that one distinction is the money is initially sent to the affiliate, an approach that addresses the distrust caused by ALPHV’s recent exit scam.
This new extortion attempt marks a significant change in the ransomware landscape, as former ALPHV affiliates fracture off into new groups. It also highlights the predatory nature of cybercriminal alliances and the fact that victims are never truly safe, even after payment.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.