ALPHV steps up laundering of Change Healthcare ransom payments

Six weeks after executing an attack that crippled parts of the U.S. health care system, the cybercrime gang linked to the incident has picked up the pace of laundering the proceeds of an alleged ransom payment, even as the hackers implicated in the breach continue to maintain a low profile.  

The ransomware group ALPHV claimed responsibility for the Feb. 21 attack on Change Healthcare, a payment processor that touches 1 in 3 American patient records. The attack on Change limited the ability of pharmacies and health care providers to receive payments and has placed severe strain on the U.S. health care system.

Earlier this month, cybercrime researchers reported that a bitcoin wallet linked to previous ALPHV ransoms had received $22 million, fueling speculation that Change’s parent company, UnitedHealth Group, had ponied up a ransom payment.

Now, ALPHV appears to be moving to further obscure the destination of those funds. 

According to blockchain intelligence firm TRM Labs, funds have recently been moved from bitcoin wallets linked to other ransoms paid to ALPHV, with these funds transferred to multiple other addresses and through a mixer, a tool used to obfuscate transactions that can be tracked on a public ledger. 

“Over the last week or so we have seen increased laundering activity,” Ari Redbord, TRM Labs’s global head of policy, told CyberScoop in an email. On March 27, for instance, TRM Labs observed 50 bitcoin — approximately $3.5 million — “move from wallets associated with the group to a mixing service. In addition, between March 22nd & 27th, we saw multiple withdrawals by wallets associated with the ransomware group and sent to a global exchange.”

The FBI declined to comment on the status of its investigation of the incident. 

Against the backdrop of ALPHV moving to obscure the funds it reportedly extorted from UnitedHealth Group, the incident remains dogged by unanswered questions, in particular regarding the ransomware affiliate that carried out the attack on Change. 

Ransomware groups like ALPHV operate on an affiliate model. Affiliates carry out ransomware attacks using ALPHV’s tools in exchange for splitting the proceeds of any ransomware payments. In the Change incident, an affiliate going by the handle “notchy” claimed to have carried out the attack only to be cut out when the ransom was paid.

In recent weeks, notchy has grown quiet after accusing ALPHV of double-crossing them. According to notchy, ALPHV never provided them with their share of the $22 million payment from UnitedHealth. Instead, ALPHV shut down their site and falsely claimed that they had been the victim of a law enforcement takedown operation. 

Following the breach of Change, notchy claimed to have obtained four terabytes of data related to the company’s major partners, including CVS Caremark, among others. A spokesperson for CVS Caremark told CyberScoop it was aware of the “unsubstantiated statement” that was posted in connection with the attack, but “at this time Change Healthcare has not confirmed whether any member or patient information it holds, including CVS Health or CVS Caremark information, was impacted by this incident.” 

The other entities notchy claimed to have data on include Medicare, Tricare, Loomis, Davis Vision, Health Net, MetLife and Teachers Health Trust, along with “tens of insurance companies and others.” None of the others responded to requests for comment.

It’s not clear whether notchy is actually in possession of that data, but having been stiffed by ALPHV out of its share of a lucrative ransom, the data would represent a major asset.

A UnitedHealth Group spokesperson did not respond to CyberScoop’s questions about the company’s understanding of any outstanding data. UnitedHealth Group is “still determining the content of the data that was taken by the threat actor,” including protected health information or personally identifiable information, the company said in an update posted to its website March 27. The spokesperson said Wednesday that that post is the “most up-to-date information” the company has to share.  

Cybercrime researchers say they have not yet seen the data being offered for sale, but immediately following the attack, notchy posted a message looking to work with people to continue to carry out attacks, only to quickly shut down the thread.

“I think it’s more of a lay low type of situation for the time being,” said Garrett Carstens, vice president of intelligence operations at Intel 471. 

If notchy, or any threat actor for that matter, is in fact in possession of the data they claim, Carstens said, the major concern is that it could be mined for clues to target other networks. Notchy is an effective threat actor, he added, with Intel 471’s analysis suggesting that the group had the ability to compromise new networks at a rate of about “a dozen a week” around the time of the Change Healthcare attack.

Relatively little is known about notchy, but the moniker may be operated by more than one person, as it uses plural pronouns when referring to itself. The username was first registered on the Russian-language RAMP forum in December 2021, but posted for the first time in August 2022 and only posted 11 times total, according to the cybersecurity firm KELA. 

Notchy is possibly linked to at least two other handles on another cybercrime forum, Exploit. The two handles may be linked, in turn, to at least one handle on Telegram that has been active in English and Russian-language channels related to credit card fraud activities and information-stealer malware, according to KELA. 

According to Telegram chatlogs provided by Unit 221B, a cybersecurity firm, a since-deleted Telegram handle possibly linked to notchy posted in May 2022 in a marketplace for stolen login credentials, asking about the availability of “US only” virtual private network credentials related to remote desktop applications — a probable indication of the techniques and types of targets of interest to the notchy persona. 

Credentials are frequently obtained with info-stealer malware, which gather personal data from a target’s browser metadata. Between July 1, 2021 and June 30, 2022, for instance, researchers with Group-IB found that 96 million logs were offered for sale across various forums, 80% of which came from U.S. users.

Notchy typically posts in English, Carstens said, but can likely understand Russian. It also seems that notchy likes to conduct business primarily on Moscow Standard Time, but Carstens cautioned against assigning much significance to that fact. 

To substantiate its claims of having been defrauded by ALPHV, notchy posted screenshots of its conversations with ALPHV admins on the messaging platform Tox, as well as a link to the cryptocurrency wallet that received the alleged ransomware payment from United HealthGroup. That screenshot was the first exposure to the wider world of the wallet that received a 350 bitcoin transaction on March 1 that is believed to be United’s ransomware payment. 

ALPHV responded on RAMP saying that they decided to “completely close the project,” and that “we can officially declare the feds screwed us over.” Some ALPHV infrastructure had been seized by the FBI and other agencies in December 2023, but the group took some of it back and revamped the site at a new address.

RAMP administrators banned ALPHV from the forum on March 6 after concluding that ALPHV had scammed the affiliate, according to KELA.

Ultimately, notchy isn’t wholly unique, Carstens said, calling them “one of many pretty capable threat actors that are out there that play in this world of ransomware.”