UnitedHealth Subsidiary Optum Hacked, Sources Link the Cyberattack to BlackCat Ransomware

Written by Mitchell Langley

February 27, 2024

UnitedHealth Subsidiary Optum Hacked, Sources Link the Cyberattack to BlackCat Ransomware

A cyberattack, attributed to the BlackCat ransomware group, has caused a significant disruption in the services provided by Optum, a subsidiary of UnitedHealth Group.


The attack specifically targeted the Change Healthcare payment exchange platform. Change Healthcare informed its customers about the incident and the resulting downtime.

In a filing with the SEC, UnitedHealth Group revealed that the cyberattack was orchestrated by suspected “nation-state” hackers who gained unauthorized access to Change Healthcare’s IT systems.

The widespread impact of the shutdown is affecting various aspects of the U.S. healthcare system, including electronic health records, payment processing, care coordination, and data analytics systems in hospitals, clinics, and pharmacies.

Optum has been providing daily incident updates through a dedicated status page following the cyberattack. They have emphasized that Change Healthcare’s systems remain offline to mitigate any further impact and manage the breach.

The Optum Outage Continues to Affect the Majority of Services

“We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue,” Optum says.

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.”

UnitedHealth Optum Hack Linked to BlackCat Ransomware

In response to the cyberattack, ChangeHealthcare has been actively engaging with partners in the healthcare industry through Zoom calls to provide regular updates.

During these discussions, forensic experts involved in the incident response have identified the BlackCat ransomware gang as the likely perpetrators, a link that was initially reported by Reuters.

Additionally, another reliable source has confirmed that one of the indicators of compromise is the exploitation of a critical ScreenConnect authentication bypass vulnerability (CVE-2024-1709) to deploy ransomware on vulnerable servers that have not been patched.

Regrettably, we have been unable to independently verify the claims made by the sources. As of the current publication, the BlackCat ransomware group has not come forward to claim responsibility for the attack on Change Healthcare.

This suggests that they may still be engaged in the process of attempting to extort a ransom. Furthermore, representatives from both UnitedHealth Group and Optum were unavailable for immediate comment regarding the BlackCat ransomware attack when approached for confirmation. Additionally, a representative from BlackCat did not provide any comment regarding their involvement in the attack.

Who is BlackCat/ALPHV?

BlackCat emerged in November 2021 and is believed to be a rebrand of the DarkSide and BlackMatter ransomware. DarkSide gained significant notoriety following the Colonial Pipeline attack, which prompted extensive investigations by global law enforcement agencies and subsequent rebranding efforts by the group.

The FBI has connected BlackCat to more than 60 breaches that occurred between November 2021 and March 2022. Additionally, it is estimated that BlackCat has obtained at least $300 million in ransom payments from over 1,000 victims until September 2023.

In December, the operations of the BlackCat gang faced a setback when the FBI successfully disrupted their Tor negotiation and leak sites. This was achieved through hacking their servers and developing a decryption tool using keys obtained during a lengthy intrusion.

However, BlackCat has managed to regain control of their leak site by utilizing private keys that were still in their possession. They have now established a new Tor leak site that the FBI has not yet been able to take down.

It is important to note that while UnitedHealth Group’s SEC filing attributes the attack to a nation-state threat actor, there has been no public linking of BlackCat to any specific foreign government agencies.

The U.S. State Department has announced reward offers for valuable information related to the ALPHV gang and BlackCat ransomware attacks. They are offering rewards of up to $10 million for tips that can help identify or locate the leaders of the ALPHV gang.

Additionally, rewards of up to $5 million are being offered for information regarding individuals associated with BlackCat ransomware attacks.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

 

Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!