Actually, ransomware assaults on well being care targets have been on the rise even earlier than the Change Healthcare assault, which crippled the United Healthcare subsidiary’s skill to course of insurance coverage funds on behalf of its well being care supplier purchasers beginning in February of this 12 months. Recorded Future’s Liska factors out that each month of 2024 has seen extra well being care ransomware assaults than the identical month in any earlier 12 months that he is tracked. (Whereas this Could’s 32 well being care assaults is decrease than Could 2023’s 33, Liska says he expects the newer quantity to rise as different incidents proceed to come back to mild.)
But Liska nonetheless factors to the April spike seen in Recorded Future’s knowledge specifically as a probable follow-on impact of Change’s debacle—not solely the outsize ransom that Change paid to AlphV, but additionally the extremely seen disruption that the assault induced. “As a result of these assaults are so impactful, different ransomware teams see a possibility,” Liska says. He additionally notes that well being care ransomware assaults have continued to develop even in comparison with general ransomware incidents, which stayed comparatively flat or fell general: The primary 4 months of this 12 months, as an example, noticed 1,153 incidents in comparison with 1,179 in the identical interval of 2023.
When WIRED reached out to United Healthcare for remark, a spokesperson for the corporate pointed to the general rise in well being care ransomware assaults starting in 2022, suggesting that the general development predated Change’s incident. The spokesperson additionally quoted from testimony United Healthcare CEO Andrew Witty gave in a congressional listening to in regards to the Change Healthcare ransomware assault final month. “As we have now addressed the various challenges in responding to this assault, together with coping with the demand for ransom, I’ve been guided by the overriding precedence to do all the pieces potential to guard peoples’ private well being info,” Witty instructed the listening to. “As chief government officer, the choice to pay a ransom was mine. This was one of many hardest selections I’ve ever needed to make. And I wouldn’t want it on anybody.”
Change Healthcare’s deeply messy ransomware scenario was difficult additional—and made much more attention-grabbing for the ransomware hacker underworld—by the truth that AlphV seems to have taken Change’s $22 million extortion payment and jilted its hacker companions, disappearing with out giving these associates their lower of the earnings. That led to a extremely uncommon scenario the place the associates then provided the information to a unique group, RansomHub, which demanded a second ransom from Change whereas threatening to leak the information on its darkish web page.
That second extortion risk later inexplicably disappeared from RansomHub’s web site. United Healthcare has declined to reply WIRED’s questions on that second incident or to reply whether or not it paid a second ransom.
Many ransomware hackers nonetheless extensively imagine that Change Healthcare really paid two ransoms, says Jon DiMaggio, a safety researcher with cybersecurity agency Analyst1 who ceaselessly talks to members of ransomware gangs to assemble intelligence. “Everybody was speaking in regards to the double ransom,” DiMaggio says. “If the folks I’m speaking to are enthusiastic about this, it’s not a leap to assume that different hackers are as properly.”
The noise that scenario created, in addition to the dimensions of disruption to well being care suppliers from Change Healthcare’s downtime and its hefty ransom, served as the proper commercial for the profitable potential of hacking fragile, high-stakes well being care victims, DiMaggio says. “Well being care has all the time had a lot to lose, it’s simply one thing the adversary has realized now due to Change,” he says. “They simply had a lot leverage.”
As these assaults snowball—and a few well being care victims have seemingly forked over their very own ransoms to manage the harm to their life-saving techniques—the assaults aren’t prone to cease. “It’s all the time appeared like a straightforward goal,” DiMaggio notes. “Now it appears to be like like a straightforward goal that’s prepared to pay.”
Up to date 6/12/24 9:35am ET: This story has been up to date to mirror that ransomware incident totals comprise the fist 4 months of the 12 months, not simply April.
