Possible China link to Change Healthcare ransomware attack

Alleged crim bought SmartScreen Killer, Cobalt Strike on dark-web markets

A criminal claiming to be an ALPHV/BlackCat affiliate — the gang responsible for the widely disruptive Change Healthcare ransomware infection last month —  may have ties to Chinese government-backed cybercrime syndicates.

Menlo Security this week linked Beijing to the cyberattack, which essentially left pharmacies across America unable to look up and process people's health insurance, forcing patients to pay out of pocket for life-saving medication or go without these essential prescriptions.

The criminals were able to bag a $22 million payment in Bitcoin, reportedly a ransom paid by Change's parent US healthcare giant UnitedHealth.

A miscreant who goes by "Notchy" claims to be the ALPHV affiliate behind that February 21 intrusion that disrupted thousands of American pharmacies and hospitals.

"Some of our HUMINT sources with direct contact to Notchy says it's high probability that Notchy is associated with China Nation-State groups," Menlo's threat intel team said in a report Wednesday.

The infosec outfit analyzed discussions on Ramp, a dark-web forum that charges a $500 entry fee or requires admin approval. The report includes a screenshot from Ramp user Notchy claiming to be the affiliate responsible for the Change ransomware attack. According to Notchy — and take this for what it is: the words of a criminal — Change coughed up the multi-million-dollar ransom and ALPHV made off with the entire amount.

From its Ramp analysis, Menlo researchers were able to pull a Telegram username, which led them to messages from April 2023 in which Notchy was seeking out Cobalt Strike. This is significant because Cobalt Strike is a legit security testing tool frequently used by criminals to gain initial access to victims' IT environments before deploying ransomware. 

Additionally, the threat hunters found Notchy on both the Exploit and XSS crime forums, both of which allow users to buy and sell malware, and on the latter they were touted as a "trusted seller and genuine products A+++."

Menlo says Notchy likely purchased SmartScreen Killer malware as well as the latest version of Cobalt Strike. "We have also identified a potential hash associated with this malware purchase," the intel team noted. "Without more details on the Change Healthcare attack, we are unable to determine if this malware was used against them or not."

The ransomware infection, in addition to having a material impact on UnitedHealth, has had devastating effects on the US healthcare system and the patients it serves.

On Tuesday, the Department of Health and Human Services stepped in to help hospitals and other healthcare providers affected by the BlackCat infection, offering more relaxed Medicare rules and calling for advanced funding to providers.

Still, "more must be done," according to American Hospital Association president and CEO Rick Pollack.

The association, whose members include about 5,000 US hospitals and other healthcare organizations, has urged Congress to pass a financial assistance program and provide "immediate access to funding" for all providers impacted by what it describes as the "worst cyberattack on our healthcare system in history." ®

More about

TIP US OFF

Send us news


Other stories you might like