Blackcat Behind Recent Cyber Attack, UnitedHealth Confirms

In a most recent update on the cyber attack targeting UnitedHealth, the company has confirmed the involvement of the notorious Blackcat ransomware group. UnitedHealth has acknowledged the severity of the situation, confirming its collaboration with law enforcement agencies and third-party consultants, Mandiant and Palo Alto Networks, to assess the full extent of the breach's impact on its customers and patients.

The unfolding of this event follows initial reports of a pronounced outage at UnitedHealth's technology arm, Change Healthcare, which led to disruptions in prescription fulfillment through patients’ insurance. Systems at Change Healthcare have been down since the day of the attack on February 21, affecting hospitals, healthcare providers and pharmacies across the United States. But the impact is far greater according to the American Hospital Association (AHA). In a letter to the U.S. Department of Health and Human Services, the AHA states “According to Change Healthcare, the company processes 15 billion health care transactions annually and touches 1 in every 3 patient records.” In addition to pharmacy operations, these transactions include clinical decision support and eligibility verifications, all of which have been impacted since the attack.

A message disseminated on a darknet platform linked to the Blackcat faction claimed the responsibility for the extraction of  eight terabytes of sensitive records from UnitedHealth, including medical insurance and health data, as reported in Reuters. However, this assertion was promptly removed from the platform without explanation, leaving cybersecurity experts and authorities in a scramble for verification. Reuters also reported that the assertion implicated other entities, including Medicare, Tricare, and CVS Health, heightening concerns about the scope of the breach.

The Blackcat ransomware group who emerged in 2021, also known as ALPHV and Noberus, has garnered notoriety for its involvement in high-profile cyberattacks targeting various organizations across different sectors including networks that support U.S. critical infrastructure.

Law Enforcement Intervenes With Blackcat Operations 

In December 2023, the U.S. Justice Department announced an Blackcat ransomware decryption tool, offered to over 500 victims worldwide. Also included in the announcement was a statement entailing an international law enforcement cooperation with agencies from the United Kingdom, Australia, Germany, Spain, and Denmark, which aided in the disruption of Blackcat’s operations, conducting a takedown of their online infrastructure.

Roughly two months later, the U.S. Department of State announced rewards of up to $15M for information about Blackcat on February 15, 2024.  “The U.S. Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key leadership position in the Transnational Organized Crime group behind the Blackcat ransomware variant. In addition, a reward offer of up to $5,000,000 is offered for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware activities.”

The Cybersecurity and Infrastructure Security Agency (CISA) published a cybersecurity advisory on February 27, stating that since mid-December 2023, the healthcare sector has been the primary target of the nearly 70 leaked Blackcat victims. The targeted effort is believed to be attributed to the response of a post by an Blackcat administrator encouraging affiliates to focus on hospitals, in retaliation to group’s takedown of infrastructure in December 2023.

As investigations into the breach continue, stakeholders must remain vigilant and proactive in fortifying cybersecurity defenses. The incident serves as a wake-up call for organizations across industries to prioritize cybersecurity resilience and invest in robust defense mechanisms. With the prevalence of ransomware attacks on the rise, cybersecurity experts urge vigilance and preparedness to mitigate risks and protect sensitive data from falling into the wrong hands.