Change Healthcare Hit By Cyber Extortion Again

Written by

Change Healthcare, a subsidiary of UnitedHealth Group, has been facing renewed extortion from cybercriminals just a month after paying a ransom to prevent the release of data stolen in a February 2024 ransomware attack. 

The attack, orchestrated by the ALPHV/BlackCat ransomware gang, severely disrupted healthcare operations across the US, compromising over 4TB of sensitive data, including personal and financial records.

Following the attack, the BlackCat group claimed responsibility but later announced their closure after being raided by the FBI. 

However, suspicions arose when they failed to share a $22 million ransom payment reportedly made by UnitedHealth Group. Now, a new ransomware group – RansomHub – has surfaced, threatening to expose the stolen data unless another ransom is paid.

RansomHub, which emerged in February 2024, boasts former BlackCat affiliates among its ranks, potentially explaining how they acquired Change Healthcare’s data.  

Read more on this breach: US Government to Investigate Change Healthcare Ransomware Attack

According to a dark web blog post discovered by cybersecurity analyst Dominic Alvieri on Monday, RansomHub operates on a ransomware-as-a-service (RaaS) model. The group also allows affiliates to retain 90% of ransom proceeds, addressing concerns raised by BlackCat’s exit scam.

While speculation surrounds RansomHub’s connection to BlackCat, SOCRadar suggests they may be distinct entities, with RansomHub’s emergence predating the exit scam. 

“It is not clear if RansomHub is a rebrand of ALPHV ransomware group, the affiliate at ALPHV is moving to RansomHub, or if this is a scam by RansomHub ransomware group trying to intimidate Change Healthcare into paying again,” pointed out Ngoc Bui, a cybersecurity expert at Menlo Security.

Regardless, the resurgence of extortion highlights the risks faced by ransomware victims.

“When ransomware groups determine that an organization is willing to pay a ransom, it can lead to double extortion schemes,” explained Keeper Security CEO, Darren Guccione.

“It’s also important to note that in many cases, the payment of a ransom doesn’t guarantee the cybercriminal will decrypt a victim’s files or reinstate access to their systems. They are criminals, and as such, they cannot be trusted.”

The double-extortion attempt comes weeks after sensitive Swiss federal government data was leaked by the Play ransomware group.

Image credit: T. Schneider /

What’s hot on Infosecurity Magazine?