When Change Healthcare paid $22 million in March to a ransomware gang that had crippled the company along with hundreds of hospitals, medical practices, and pharmacies across the US, the cybersecurity industry warned that Change’s extortion payment would only fuel a vicious cycle: Rewarding hackers who had carried out a ruthless act of sabotage against the US health care system nationwide with one of the largest ransomware payments in history, it seemed, was bound to incentivize a new wave of attacks on similarly sensitive victims. Now that wave has arrived.
In April, cybersecurity firm Recorded Future tracked 44 cases of cybercriminal groups targeting health care organizations with ransomware attacks, stealing their data, encrypting their systems, and demanding payments from the companies while holding their networks hostage. That’s more health care victims of ransomware than in any month Recorded Future has seen in its four years of collecting that of data, says Allan Liska, a threat intelligence analyst at the company. Comparing that number to the 30 incidents in March, it’s also the second biggest month-to-month jump in incidents the company has ever tracked.
While Liska notes that he can’t be sure of the reason for that spike, he argues it’s unlikely to be a coincidence that it follows in the wake of Change Healthcare’s eight-figure payout to the hacker group known as AlphV or BlackCat that was tormenting the company.
“`html
“These kind of large payments are absolutely going to incentivize ransomware actors to go after health care providers,” says Liska, “because they think there’s more money to made be there.”
While most of the health care ransomware victims of the last two months have suffered quietly, a few have experienced life-threatening disruptions on a scale that’s difficult to miss. Ascension, a network of 140 hospitals and 40 senior living facilities, was targeted by a ransomware group known as Black Basta and forced to divert ambulances from hospitals in some cases, according to CNN, potentially delaying lifesaving emergency procedures. The notorious hacker group LockBit published 61 gigabytes of data stolen from the Simone Veil hospital in Cannes, France, after it refused to pay a ransom. And earlier this month, pathology firm Synnovis was hit by ransomware, believed to be the work of Russian group Qilin, forcing multiple hospitals in London to delay surgeries and even seek more donations of O-type blood due to the hospitals’ inability to match existing blood donations with patients needing transfusions.
There were 44 ransomware attacks on healthcare-related victims in April of this year, the most of any month on record, according to data collected by cybersecurity firm Recorded Future.
By Mark Harris
“`
By Adam Bumas
By Boone Ashworth
By Christopher Null
In fact, ransomware attacks on health care targets were on the rise even before the Change Healthcare attack, which crippled the United Healthcare subsidiary’s ability to process insurance payments on behalf of its health care provider clients starting in February of this year. Recorded Future’s Liska points out that every month of 2024 has seen more health care ransomware attacks than the same month in any previous year that he’s tracked. (While this May’s 32 health care attacks is lower than May 2023’s 33, Liska says he expects the more recent number to rise as other incidents continue to come to light.)
Yet Liska still points to the April spike visible in Recorded Future’s data in particular as a likely follow-on effect of Change’s debacle—not only the outsize ransom that Change paid to AlphV, but also the highly visible disruption that the attack caused. “Because these attacks are so impactful, other ransomware groups see an opportunity,” Liska says. He also notes that health care ransomware attacks have continued to grow even compared to overall ransomware incidents, which stayed relatively flat or fell overall: April, for instance, saw 1,153 incidents compared to 1,179 in the same month of 2023.
When WIRED reached out to United Healthcare for comment, a spokesperson for the company pointed to the overall rise in health care ransomware attacks beginning in 2022, suggesting that the overall trend predated Change’s incident. The spokesperson also quoted from testimony United Healthcare CEO Andrew Witty gave in a congressional hearing about the Change Healthcare ransomware attack last month. “As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, I have been guided by the overriding priority to do everything possible to protect peoples’ personal health information,” Witty told the hearing. “As chief executive even though the choice was stark, paying the ransom was a decision that fell to me. Making this call was amongst the most daunting of my career, and it’s a circumstance I would not wish upon anyone,” he added.
Change Healthcare’s deeply messy ransomware situation was further complicated—and made even more eye-catching for the ransomware hacker community—by the fact that AlphV seems to have taken Change’s $22 million extortion fee and betrayed its hacker affiliates by vanishing without distributing their share of the spoils. This caused a highly unusual scenario where those affiliates subsequently offered the stolen data to another group, RansomHub, which demanded a second ransom from Change while threatening to leak the data on their dark web page.
That second extortion threat later mysteriously vanished from RansomHub’s page. United Healthcare has declined to respond to WIRED’s inquiries about this subsequent incident or whether a second ransom was paid.
Many in the cybersecurity industry, including Jon DiMaggio, a researcher at Analyst1, believe that Change Healthcare paid two separate ransoms. “The topic of the double ransom was widespread,” states DiMaggio. “Given the excitement I saw, it’s reasonable to think this enthusiasm extends to other cybercriminals as well.”
This incident not only drew significant attention but also highlighted the vulnerabilities of the health care sector, suggesting its appeal as a high-value target for hackers, explains DiMaggio. “The leverage gained through hacking health care systems, as demonstrated by the Change Healthcare incident, has just become more evident to attackers.” he remarks. “They now see a sector that’s ripe for exploitation.”
With ongoing attacks and some health care providers seemingly settling ransom demands to mitigate disruption, DiMaggio suggests that this trend of targeting health care entities is likely to continue. “Health care has appeared as an easy target, and now, also as one that’s prone to paying ransoms,” he says.