Notorious ransomware group claims responsibility for attacks roiling US pharmacies

A notorious ransomware and extortion group tied to dozens of cyberattacks against health care entities claimed responsibility Wednesday for an ongoing attack that’s disrupting payment processing at pharmacies and other care-related entities across the country.

ALPHV, also known as BlackCat, first claimed responsibility to DataBreaches.net on Tuesday for the attack on Change Healthcare, a subsidiary UnitedHealth Group. On Wednesday, ALPHV — perhaps best known for its role in last year’s breaches of Las Vegas casinos — posted a statement to its website that accused UnitedHealth Group of lying about the group behind the attack and the scope of affected parties.

Reuters, citing sources familiar with the investigation, reported Monday that the group was involved.

UnitedHealth Group did not immediately respond to a request for comment.

Change Healthcare — a platform used by 70,000 pharmacies and health care providers to process payments and provide other data-related services — initially disclosed an issue with “some applications” in a notice to its website posted Feb. 21. The notice was updated several hours later to add that the “network interruption” was “related to a cyber security issue.”

In a Securities and Exchange Commission filing the same day, the company said a “nation-state associated cyber security threat actor” had gained access to its IT systems, and that the company had “proactively isolated the impacted systems from other connecting systems” to protect patients and its corporate partners.

To date, there have been no clear links established between ALPHV and any government.

Health care professionals across the country are struggling to get paid and the situation is causing major disruptions in the health care industry, CNN reported Wednesday.

In late December, FBI, Department of Justice and a range of international agencies seized some of the technical infrastructure associated with ALPHV. A short time later, the group said it was back up and running, underscoring the difficulty of shutting down ransomware extortion gangs without arrests.

Since then, health care-related entities have made up a large portion of ALPHV’s nearly 70 publicly known victims, the FBI and the Cybersecurity and Infrastructure Security Agency said in an advisory published Tuesday. The U.S. State Department earlier this month offered up to $15 million for information leading to the identification or location of senior ALPHV members or affiliates participating in ALPHV attacks.

Alexander Leslie, an intelligence analyst at Recorded Future, said that according to data collected by his firm, ALPHV has claimed responsibility for attacks on at least eight health care organizations since the takedown targeting the group. That figure represents 11% of the group’s victims since December and makes health care its most targeted sector, Leslie said.

“Since that operational disruption in December 2023, we’ve identified a significant and disproportionate increase in the victimization of healthcare by ALPHV,” Leslie said. “The attack on Change Healthcare further demonstrates that ransomware must be framed as a national security and public health crisis, due to its cascading effects on the healthcare sector nationwide.”

ALPHV’s targeting of the health care sector is “likely” a response to the FBI operation, according to Tuesday’s advisory. Other observers, including the American Hospital Association, have said the group has always targeted health care entities and have advised caution in evaluating the group’s claims.

“At this point, it’s impossible to assess the accuracy of Alphv’s claims,” Brett Callow, a threat analyst with Emsisoft, said in an online message. “Alphv are untrustworthy bad faith actors and their claims should not be assumed to be accurate. In fact, they should be viewed with extreme cynicism.”

The incident underscores the “lack of resilience in the health care sector and its supply chain,” Callow added, noting that “fragility” that exists in other sectors as well.

The group’s statement Wednesday, which was removed from the group’s website shortly after it was posted, said that UnitedHealth Group’s claims that it had been attacked by a “nation-state associated” group and that the attack was limited to Change Healthcare were both “lies.”

ALPHV was able to “exfiltrate … “more than 6 [terabytes] of highly selective data,” the group claimed. “The data relates to all Change Health clients that have sensitive data being processed by the company.”

The data include active U.S. military personally identifiable information, dental records, payment information, claims information, phone numbers, addresses, social security numbers, source code for Change Healthcare products and insurance records, the group claimed.

Change Healthcare “chose to play a very risky game,” the note read, along with a threat to UnitedHealth: “[You] are walking on a very thin line be careful you just might fall over.”