The truth is, ransomware assaults on well being care targets have been on the rise even earlier than the Change Healthcare assault, which crippled the United Healthcare subsidiary’s skill to course of insurance coverage funds on behalf of its well being care supplier purchasers beginning in February of this yr. Recorded Future’s Liska factors out that each month of 2024 has seen extra well being care ransomware assaults than the identical month in any earlier yr that he is tracked. (Whereas this Could’s 32 well being care assaults is decrease than Could 2023’s 33, Liska says he expects the more moderen quantity to rise as different incidents proceed to return to gentle.)
But Liska nonetheless factors to the April spike seen in Recorded Future’s knowledge specifically as a probable follow-on impact of Change’s debacle—not solely the outsize ransom that Change paid to AlphV, but additionally the extremely seen disruption that the assault induced. “As a result of these assaults are so impactful, different ransomware teams see a chance,” Liska says. He additionally notes that well being care ransomware assaults have continued to develop even in comparison with total ransomware incidents, which stayed comparatively flat or fell total: The primary 4 months of this yr, as an illustration, noticed 1,153 incidents in comparison with 1,179 in the identical interval of 2023.
When WIRED reached out to United Healthcare for remark, a spokesperson for the corporate pointed to the general rise in well being care ransomware assaults starting in 2022, suggesting that the general development predated Change’s incident. The spokesperson additionally quoted from testimony United Healthcare CEO Andrew Witty gave in a congressional listening to concerning the Change Healthcare ransomware assault final month. “As we now have addressed the numerous challenges in responding to this assault, together with coping with the demand for ransom, I’ve been guided by the overriding precedence to do every little thing doable to guard peoples’ private well being data,” Witty instructed the listening to. “As chief govt officer, the choice to pay a ransom was mine. This was one of many hardest choices I’ve ever needed to make. And I wouldn’t want it on anybody.”
Change Healthcare’s deeply messy ransomware state of affairs was sophisticated additional—and made much more attention-grabbing for the ransomware hacker underworld—by the truth that AlphV seems to have taken Change’s $22 million extortion charge and jilted its hacker companions, disappearing with out giving these associates their lower of the earnings. That led to a extremely uncommon state of affairs the place the associates then supplied the information to a distinct group, RansomHub, which demanded a second ransom from Change whereas threatening to leak the data on its dark web site.
That second extortion menace later inexplicably disappeared from RansomHub’s website. United Healthcare has declined to reply WIRED’s questions on that second incident or to reply whether or not it paid a second ransom.
Many ransomware hackers nonetheless extensively consider that Change Healthcare truly paid two ransoms, says Jon DiMaggio, a safety researcher with cybersecurity agency Analyst1 who incessantly talks to members of ransomware gangs to assemble intelligence. “Everybody was speaking concerning the double ransom,” DiMaggio says. “If the individuals I’m speaking to are enthusiastic about this, it’s not a leap to assume that different hackers are as nicely.”
The noise that state of affairs created, in addition to the dimensions of disruption to well being care suppliers from Change Healthcare’s downtime and its hefty ransom, served as the proper commercial for the profitable potential of hacking fragile, high-stakes well being care victims, DiMaggio says. “Well being care has all the time had a lot to lose, it’s simply one thing the adversary has realized now due to Change,” he says. “They simply had a lot leverage.”
As these assaults snowball—and a few well being care victims have possible forked over their very own ransoms to manage the harm to their life-saving programs—the assaults aren’t prone to cease. “It’s all the time seemed like a straightforward goal,” DiMaggio notes. “Now it seems like a straightforward goal that’s prepared to pay.”
Up to date 6/12/24 9:35am ET: This story has been up to date to mirror that ransomware incident totals comprise the fist 4 months of the yr, not simply April.
