AlphV Received a $22 Million Payment After Change Healthcare Ransomware Attack, the Second Largest Ransom Payment!

Written by Gabby Lee

March 7, 2024

AlphV Received a $22 Million Payment After Change Healthcare Ransomware Attack, the Second Largest Ransom Payment!

Evidence on the Bitcoin blockchain indicates that Change Healthcare, the victim of a significant may have made a substantial payment.

Change Healthcare Ransomware Cause Major Disruptions in the US Healthcare Industry

Change Healthcare Ransomware attack has caused major disruptions, particularly in the US healthcare industry, including hospitals and pharmacies, resulting in significant delays in prescription drug deliveries for an ongoing period of 10 days.  

Recent information from the criminal underground reveals a dispute that sheds light on a new development: the hackers responsible for the attack, identified as BlackCat or AlphV ransomware group, received a transaction of $22 million, strongly resembling a substantial ransom payment.

AlphV Ransomware Group Received $22 Million Worth Bitcoin, All Clues Point to Change Healthcare Ransomware Incident

On March 1, a notable Bitcoin address associated with AlphV received a substantial amount of 350 bitcoins in a single transaction, equivalent to approximately $22 million based on the prevailing exchange rates at that time.

Following this, a member claiming to be affiliated with AlphV, who collaborates with the group to infiltrate victim networks, took to the underground cybercriminal forum RAMP to express grievances about being deceived by AlphV regarding their portion of the ransom from Change Healthcare.

This individual pointed to the $22 million transaction visible on Bitcoin’s blockchain as evidence. Dmitry Smilyanets, the researcher from security firm Recorded Future who initially discovered the post, interprets this as a strong indication that Change Healthcare likely made the payment to AlphV as ransom.

 “You can see the number of coins that landed there. You don’t see that kind of transaction so often,” There’s proof of a large amount landing in the AlphV-controlled Bitcoin wallet. And this affiliate connects this address to the attack on Change Healthcare. So it’s likely that the victim paid the ransom.”

Smilyanets says.

A representative from Change Healthcare, a subsidiary of UnitedHealth Group, chose not to disclose whether the company had paid a ransom to AlphV.

When approached by WIRED, the spokesperson stated that their current priority is the ongoing investigation.

Both Recorded Future and TRM Labs, a blockchain analysis firm, have established a connection between the Bitcoin address that received the $22 million payment and the AlphV hackers.

 TRM Labs further claims that they can trace this address to payments made by two other victims of AlphV in January.

$22 Million Ransom Payment by Change Healthcare Can Set a Dangerous Precedent

The potential payment of a $22 million ransom by Change Healthcare raises concerns not only about the financial gain for AlphV, but also the precedent it sets within the healthcare sector, warns Brett Callow, a researcher specializing in ransomware at security firm Emsisoft.

According to Callow, every ransomware payment not only provides funding for future attacks by the same group, but also encourages other ransomware actors to follow suit.

 “If Change did pay, it’s problematic,” says Callow. “It highlights the profitability of attacks on the health care sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.”

Smilyanets says.

The individual known as “notchy,” who identified themselves as an affiliate of AlphV, was the first to bring attention to the payment evidence on RAMP.

Notchy expressed dissatisfaction with AlphV, claiming that the group had received the $22 million ransom from Change Healthcare but failed to distribute the agreed-upon share of the profits to their hacking partner.

 “Be careful everyone and stop deal with ALPHV,”

Notchy wrote

In addition, the affiliate hacker mentioned that during their infiltration of Change Healthcare’s network, they gained access to the data of multiple other healthcare organizations associated with the company. Dmitry Smilyanets from Recorded Future highlights the concerning implication of this claim.

It introduces an additional risk that the affiliate hacker may still possess sensitive medical information. Even if Change Healthcare indeed made the payment to AlphV, there remains the possibility that the hacker affiliate could demand further payment or independently leak the data.

 “The affiliates still have this data, and they’re mad they didn’t receive this money,” “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.

Says Smilyanets.

The Change Healthcare Ransomware Incident Shows AlphV Resurgence

A ransom payment of $22 million would mark a highly lucrative achievement for AlphV in the realm of ransomware.

According to Brett Callow from Emsisoft, only a few ransoms in the history of ransomware, such as the $40 million payment made by CNA to the hackers Evil Corp, have reached such substantial amounts. Callow describes it as an uncommon occurrence, although not entirely unprecedented.

Furthermore, regardless of whether Change Healthcare can verify the payment, the attack signifies a concerning resurgence for AlphV. In December, the group faced an operation by the FBI, resulting in the seizure of their dark web sites and the release of decryption keys that thwarted their attacks on numerous victims.

Merely two months later, AlphV executed a cyberattack that severely disrupted Change Healthcare, resulting in a prolonged outage that has impacted pharmacies and patients for over a week. Apart from Change Healthcare, AlphV had already listed 28 other companies on its dark web platform, which it exploited to extort its victims.

However, the site is now offline, displaying what appears to be a law enforcement seizure notice. Security researcher Fabian Wosar notes that the notice seems to have been replicated from AlphV’s previous takedown.

The exact reason behind AlphV’s sudden disappearance remains unclear, whether it be due to another law enforcement operation or the group’s efforts to evade their own disgruntled affiliates.

Ransomware trackers have observed that AlphV has previously vanished and rebranded multiple times. Security researchers point out that earlier iterations of the group, operating under names like BlackCat, BlackMatter, and Darkside, were essentially the same collective.

AlphV Ransomware Is Adept at Forcing Victims to Pay

It is worth noting that the hackers operating under the Darkside alias were responsible for the ransomware attack on the Colonial Pipeline in 2021, which resulted in the shutdown of gas transportation across the Eastern Seaboard of the US and temporary fuel shortages in some East Coast cities.

In that case as well, the victims opted to pay the ransom demanded by the hackers.

“It was the hardest decision I’ve made,”

Colonial’s CEO Joseph Blount later told a US congressional hearing.

Now, it seems, some of the same hackers may have forced yet another company to make that same hard decision.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!