Double Whammy: Change Healthcare Targeted Again by RansomHub Following ALPHV's Exit Scam

RansomHub, a relatively new ransomware group that emerged in early 2024, claims it has possession of Change Healthcare’s stolen data. In early March, ALPHV/Blackcat faked a law enforcement takedown to scam affiliates out of the $22M ransom payment for the Change Healthcare attack. The Bitcoin address associated with ALPHV received a $22 million transaction and shortly after that the group suspended their affiliates’ accounts and emptied the wallet.

Change Healthcare is responsible for processing insurance and billing for an estimated 50% of all medical claims in the U.S. and handles 15 billion transactions per year. Hospitals and pharmacy networks faced economic disruption costing $100 million per day.

The attack contributed to one of the largest nursing home operators, Petersen Health Care, filing for bankruptcy and caused some medical practices to run out of money. It hobbled U.S. healthcare so severely that the U.S. State Department is offering a $10 million bounty for information on ALPHV/Blackcat.

Ransom Redux: Change Healthcare Faces Fresh Extortion Attempt#

RansomHub alleges that ALPHV stole the payment that Change Healthcare forked over to restore their systems and prevent data leak. They claim to have over 4TB of sensitive data that pertains to Change Health partners, including Medicare, Tricare, CVS-CareMark, MetLife, and other high profile clients.

RansomHub is threatening to sell the data to the highest bidder if Change Healthcare doesn’t make a deal. This allegedly includes medical and dental records, payment and claims information, insurance records, patient names, addresses, social security numbers, and source code for 3,000 files, among other records.

It’s not clear whether RansomHub is the affiliate ALPHV scammed or if it’s a rebranding for their operations. Either way, it's an attempt to extort Change Healthcare for another ransom payment.

Smelly__vx, founder of vx-underground, speculates that ALPHV affiliates have simply moved to RansomHub after the exit scam.

RansomHub’s About page on their leak site states that the group has a global membership that is financially motivated. They exclude CIS, Cuba, North Korea, China, and non-profit organizations from their targets, and do not permit re-attacks for companies that have already made payments.

SOCRadar reports that their operations notably resemble a traditional Russian ransomware setup, based on their exclusion of Russian-affiliated nations and the overlap in targeted companies with other Russian ransomware groups. They have been recruiting affiliates from the Russian populated RAMP forum, and their site states their strains are ESXi rewritten in Golang.

RansomHub posted its first victim in February 2024, and continues naming new victims, with 17 claims to date. It operates with a RaaS model where affiliates receive 90% of ransom payments and 10% goes to the main group. SOCRadar noted that one distinction is the money is initially sent to the affiliate, an approach that addresses the distrust caused by ALPHV’s recent exit scam.

This new extortion attempt marks a significant change in the ransomware landscape, as former ALPHV affiliates fracture off into new groups. It also highlights the predatory nature of cybercriminal alliances and the fact that victims are never truly safe, even after payment.