Pierluigi Paganini
February 27, 2024
A ransomware attack hit the UnitedHealth Group subsidiary Optum leading to an outage impacting the Change Healthcare payment exchange platform.
Optum Solutions is a subsidiary of UnitedHealth Group, a leading health insurance company in the United States. Optum Solutions operates the Change Healthcare platform, which serves as a critical payment exchange platform for the US healthcare system.
“On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.” reads the SEC filing. “The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies.”
Reuters, citing sources familiar with the investigation, linked the attack to the BlackCat ransomware group. In a SEC filing, UnitedHealth Group attributed the attack to a suspected nation-state actor.
“Hackers working for the ‘Blackcat’ ransomware gang are behind the outage at UnitedHealth’s technology unit that has snarled prescription deliveries for six days, two people familiar with the matter told Reuters on Monday.” reads the Reuters. “The problems began last week after hackers gained access to Change Healthcare’s information technology systems and has led to disruptions at pharmacies across the United States.”
In response to the attack, the company was forced to shut down its systems causing an outage impacting multiple services of U.S. healthcare organizations.
In the last update provided by Change Healthcare, the company confirmed that it is experiencing a cybersecurity issue and is working to address the problem. In response to the security breach, the company disconnected Change Healthcare’s systems to contain the threat. This action was taken so our customers and partners do not need to. The company believes that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue. The company is investigating into the incident with the help of cybersecurity firm Mandiant
“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.” reads the update published by Change Healthcare. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”
BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
In February 2024, the U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Optum Solutions)
