As spotted by @zackwhittaker, Change Healthcare outage (still ongoing) is listed as suspected nation state threat actor in their 8-K filing.
In my experience it’s extremely rare to isolate the whole production network for nation state and espionage.. I don’t know what happened to trigger that here.
Since the Change Healthcare ransomware incident started several weeks ago, they've had a status page saying the incident will continue for 'the next day'.
Their COO has privately briefed orgs that will be "weeks" longer.
Some good reporting here - the NCA, who are listed on the AlphV portal as being involved in a takedown - say they were not involved in a takedown.
We’ll see what the FBI says, but it looks like AlphV may well have done rug pull aka exit scam — stole their operator and affiliate’s money and left their victims without decryption.
For anybody wondering on the financial impact of the ongoing Change Healthcare ransomware incident (yes, obviously there’s also a big patient impact too):
The bad news is I think ransomware groups will cause much bigger problems further down the line as they’re basically teenagers with rocket launchers inside critical infrastructure, blindly firing. They know governments worldwide are impotent.
Btw if anybody is wondering how Change Healthcare got breached, I have a draft IR report for their incident as somebody put it on a public sandbox - it’s just a standard ransomware incident. EquiLend’s IOCs are also publicly uploaded, same story.
@GossiTheDog One part I haven't gotten about all this is did they actually unlock the ransomed data? Or did they take the money and run leaving it all still inaccessible? Its possible I may have missed it somewhere.
The Change Heathcare ransomware incident is still going and is having profound implications for people and the healthcare industry across the US.
But for people who think this is an isolated incident, it isn’t - it’s been like this for several years where civil society is gradually being eroded by some gangs of often kids, from schools to councils to public services worldwide (except, er, Russia).
HT to @zackwhittaker, the US department of health has opened an investigation into Change Healthcare around if data exfiltration occurred.
It’s typically very easy to find out if data exfil happened as a third party as you can see large volumes of data transfer to VPS providers or cloud storage providers in ISP logs (which are sold onwards).
Ransomhub #ransomware group are claiming AlphV stole their money for Change Healthcare (this is believed to be true btw), and the operator has given them the data. So now they’re extorting Change Healthcare again. #threatintel
Change Healthcare have told investors they have so far taken a $872 million hit in dealing with their ongoing ransomware incident in the first two months, with the cost expected to rise to between $1350m-$1600m through the calendar year.
Shareholders don't appear to care as the stock is up 5% since the update.
@GossiTheDog really puts "there's no such thing as bad publicity" in perspective. also the fact that the stock market is unhinged and completely detached from any notion of being a representation of a business' worth, finances, or operational status.
Change Healthcare didn’t use MFA on Citrix Netscaler. It was a bog standard ransomware incident.
One learning for the industry btw - I saw loads of threat intel channels circulating incorrect info about the incident. That’s fine, but some (eg the health info sharing authorities) reshared this wrong info.
The CEO of UnitedHealth is due to give testimony in Washington on their Change Healthcare ransomware incident tomorrow, where he will say “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year”
That sound impressive, but if you own a Windows PC at home, you’re doing the same thing - it’s called the built in firewall.
Not having MFA on Citrix Netscaler is also called negligence.
@GossiTheDog I'm enjoying the same copy/paste update every two hours. Don't blame them, though. It can take a while to even have half an idea of what's going on.
Add comment