Change Healthcare Case: RansomHub – “AlphV has no data. We still expect that the UH company can buy this data”

Change Healthcare Case: RansomHub - "AlphV has no data. We still expect that the UH company can buy this data" 1

The data breach incident involving Change Healthcare (United Healthcare) persists to this day, despite two months having elapsed since healthcare offices, hospitals, and pharmacies in the United States ceased processing requests and receiving payments for several weeks due to a ransomware attack. This ongoing situation leaves numerous questions unanswered, doubts lingering, and has implicated two ransomware groups: AlphV/BlackCat and RansomHub.

According to information and data gathered by Dmitriy Smilianets and reported by vx-underground, AlphV purportedly received a ransom payment of $22M from Change Healthcare on March 1st. Shortly thereafter, AlphV ceased communication, having depleted their BTC wallet containing nearly $93M, and failed to fulfill the owed payment to its affiliate. Crucially, AlphV also failed to honor agreements made with Change Healthcare’s negotiator, resulting in the multinational company’s computer systems being rendered unusable. Notably, AlphV claimed ownership of 6TB of Change Healthcare’s data, a claim disputed by RansomHub.

In early April, RansomHub announced on its .onion blog that they possessed Change Healthcare’s data, specifically 4TB of highly sensitive documents. An article from the online publication WIRED suggested that the data could indeed be genuine.

[…] RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name […]

Many aspects of this incident remain unclear. Questions have arisen regarding RansomHub’s true identity and its potential connection to AlphV. There is speculation as to whether the data was initially accessible to an AlphV affiliate, and whether, following BlackCat’s actions, the same affiliate made it available to RansomHub.

Consequently, we sought to contact RansomHub to pose a series of questions aimed at better understanding their identity and obtaining their perspective on this case.

Below is the complete transcript of the questions and answers. – The first claims about your escape on your website date back to February of this year. Does this date truly correspond to the birth of your group, or did your activity start earlier?

RansomHub – Yes, we were founded in February, but we had a rich experience before that – RansomHub is a RaaS group where affiliates receive a much higher percentage on ransoms paid by victims compared to other groups, and this alone is unusual. But what struck us the most are the methods used for ransom distribution. The affiliate receives the entire sum paid by the victim, and it’s always the affiliate who pays 10% to your group. What is the real reason behind RansomHub’s decision to undertake this type of choice, perhaps the constant loss of credibility in the way ransomware groups operate?

RansomHub – We are trying to save the reputation of this industry, because there are many groups SCAM EXIT. We not only take this measure, we also have many other measures,In fact, these measures are effective, more team choose to join us – Your ransomware predominantly utilizes what are considered to be among the best and fastest encryption methods, ChaCha20 and XChaCha20 (symmetric algorithms), but it’s the code development that catches our attention. It’s been written in Go and C++. Why do you consider this programming language to be more secure and performant than others? Do you also believe that Go will become the only programming language used by ransomware groups in the near future?

RansomHub – Because this will make the program more compatible better without some errors – You have developed the ransomware to target the major operating systems and virtual machines used by victims, including ESXi – Linux – Windows. Among these, which do you consider to be the least reliable in terms of security, and in which did you encounter the most difficulties during the data encryption phases?

RansomHub – There is no difficulty. At present, our Locker has been tested in various cases. We have to say that we have not encountered any difficulties at present. We have also tested the Locker of other groups. If you talk about the difficult, their Locker encrypted ESXI This large data is very slow and often show error – Some journalists and researchers argue that RansomHub is nothing more than a rebranding of AlphV and that the first victims listed on the Tor website were “publicized” specifically when AlphV was still active, with the intention of masking the new activities of the group. What can you tell us about this?

RansomHub – We have already proved it, we are not them,If we are, there will be so many previous alliance of the Alphv to join us – On your .onion website, you set precise boundaries for your affiliates to adhere to in order to collaborate with your group, including a ban on attacking entities from specific geographic areas. Your statement “… we are only interested in dollars” implies that you are not politically motivated, but it’s difficult to understand when states such as CIS, Cuba, North Korea, and China are listed as areas where attacks are prohibited.

RansomHub – Maybe you should find that all RaaS groups are doing this – We would now like to ask you some questions regarding the “Change Healthcare case” (United Healthcare), which has been filling hundreds of pages of online newspapers these days and is also involving part of the U.S. politics.

What is your opinion on this case, and in your view, what responsibility does Change Healthcare bear regarding the poor protection and consequent loss of data, especially PHI and PII data of patients who have received medical treatment in their facilities?

RansomHub – As I said before, they should stop everything. Our alliance wants to sell data from the beginning, but we think we should give the company a chance – We have read that you have recently published an infinite amount of text-format data on your website related to administrative documents, contracts, messages… among these, unfortunately, sensitive documents of U.S. citizens. The data, we read, are now for sale. Do you believe, or hope, that this acceleration in publication time, if Change Healthcare does not pay the ransom, may encourage Change Healthcare to negotiate with you, or do you believe that selling them is now the only way to profit?

RansomHub – So everything has been messed up by some media, we can only sell it – As we know, a third of the data (2TB) were available to AlphV, and thanks to this data, the group was able to extort a ransom of 350 bitcoins ($22M), with the BTC wallet transaction occurring on March 1st. The amount of data your group has put up for sale is 4TB. Can you confirm that the total data exfiltrated from Change Healthcare is 6TB? Furthermore, can you confirm that the price is lower than what you initially demanded from the American medical company?

RansomHub – Alphv has no data, the payment is just to get the decryrator, the total of data is 4TB. We reached an agreement with the alliance and the data will only be sold once, which is beneficial to all of us, so we still expect that the UH company can buy this data, which is good for everyone – Don’t you think that targeting such important entities, where not only purely corporate business interests are at stake but also the interests of a nation at a political level, can inevitably undermine the security of a group and thus jeopardize its existence (we believe DarkSide and Colonial Pipeline are illustrative examples)?

RansomHub – As we mentioned in the blog, we are only interested in the $