Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment

The ransomware attack targeting medical firm Change Healthcare has been one of the most disruptive in years, crippling pharmacies across the US—including those in hospitals—and leading to serious snags in the delivery of prescription drugs nationwide for 10 days and counting. Now, a dispute within the criminal underground has revealed a new development in that unfolding debacle: One of the partners of the hackers behind the attack points out that those hackers, a group known as AlphV or BlackCat, received a $22 million transaction that looks very much like a large ransom payment.

On March 1, a Bitcoin address connected to AlphV received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time. Then, two days later, someone describing themselves as an affiliate of AlphV—one of the hackers who work with the group to penetrate victim networks—posted to the cybercriminal underground forum RAMP that AlphV had cheated them out of their share of the Change Healthcare ransom, pointing to the publicly visible $22 million transaction on Bitcoin’s blockchain as proof.

That suggests, according to Dmitry Smilyanets, the researcher for security firm Recorded Future who first spotted the post, that Change Healthcare has likely paid AlphV’s ransom. “You can see the number of coins that landed there. You don’t see that kind of transaction so often,” Smilyanets says. “There’s proof of a large amount landing in the AlphV-controlled Bitcoin wallet. And this affiliate connects this address to the attack on Change Healthcare. So it’s likely that the victim paid the ransom.”

A spokesperson for Change Healthcare, which is owned by UnitedHealth Group, declined to answer whether it had paid a ransom to AlphV, telling WIRED only that “we are focused on the investigation right now.”

Both Recorded Future and TRM Labs, a blockchain analysis firm, connect the Bitcoin address that received the $22 million payment to the AlphV hackers. TRM Labs says it can link the address to payments from two other AlphV victims in January.

If Change Healthcare did pay a $22 million ransom, it would not only represent a huge payday for AlphV, but also a dangerous precedent for the health care industry, argues Brett Callow, a ransomware-focused researcher with security firm Emsisoft. Every ransomware payment, he says, both funds future attacks by the group responsible and suggests to other ransomware predators that they should try the same playbook—in this case, attacking health care services that patients depend on.

“If Change did pay, it’s problematic,” says Callow. “It highlights the profitability of attacks on the health care sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.”

The self-described AlphV affiliate who first posted evidence of the payment on RAMP, and who goes by the name “notchy,” complained that AlphV had apparently collected the $22 million ransom from Change Healthcare and then kept the entire sum, rather than share the profits with their hacking partner as they had allegedly agreed. “Be careful everyone and stop deal with ALPHV,” notchy wrote.