“For most US individuals out there doubting us, we probably have your personal data.”
This was the defiant statement from cybercriminal group RansomHub, as seen by Wired – in response to a public frenzy of opinion around a ransomware attack against Change Healthcare, a revenue and payments management system for healthcare providers and customers in the United States.
The organisation was attacked by a different group back in February. And as Wired reported, it wasn’t until April that Change Healthcare admitted it did indeed pay a ransom in response to that attack. That ransom payment, however, wasn’t the end of the story – with patient data leaked on the dark web following the settlement.
What kind of data was stolen?
While the specifics are unverified (at time of writing), stolen data is thought to include patient medical and dental records, details of payment claims, insurance details, and identity data including social security numbers. One of RansomHub’s claims has been that it holds healthcare data on active US military personnel.
It’s a damaging aftershock for Change Healthcare and its customers, as the organisation scrambles to stay on top of snowballing reports about the nature of the attack and prior knowledge that the data had been sold by the original attackers.
In its statement, RansomHub has added fuel to the fire, further smearing Change Healthcare’s reputation (along with its partner companies) by saying that “processing of sensitive data for all of these companies is just something unbelievable.”
Pressure from all angles
This case shows how threat actors can work multiple angles at the same time – ultimately applying so much pressure that the target has little choice but to pay a ransom and appease the attackers.
RansomHub’s angles include:
Claiming to hold sensitive patient data (and high volumes of it).
Threatening to expose that data online or sell it on again.
Publicly criticising the organisation’s data management protocols in order to damage reputation.
Sparking pursuit of the victim by lawmakers and regulators, adding more pressure to explain the situation and demonstrate a clear strategy for managing it, even as the parameters of the situation itself remain unclear.
Forcing the organisation to spend large sums of money on handling all of the above – as of March 31 2024, Change Health reported spending USD $872 million on incident response.
Press is a highly effective way to pile pressure onto a target organisation during a cybersecurity attack. So the growing media attention surrounding Change Health is an intentional byproduct of RansomHub’s strategy.
All of this shines a light on one thing: the incredible scope, responsibility and complexity of a cybersecurity leader’s job. To be a strong CISO or leader you have to be good at a vast array of things; and have the ability to maintain a cool head under pressure.
Every time we watch an attack like this unfold, it reaffirms our respect for the talented individuals we meet every year at Black Hat MEA. And it reminds us why we do what we do: because cybersecurity professionals need opportunities to network, learn from each other, and build their personal resilience within a community of people who know what the work is like.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!