Change Healthcare cyberattack persists–is the BlackCat gang back and using LockBit malware? BlackCat taking credit. (update 28 Feb #2)

On Day 7, reports, like recollections, may differ. Today’s Reuters report (26 Feb) attributes the attack on Change Healthcare, which has snarled pharmacies and hospitals since Wednesday [TTA 23 Feb], to a revived BlackCat (a/k/a ALPHV) ransomware operation. Readers will recall that the FBI busted BlackCat right before Christmas last year, seizing their operational darknet websites and putting up a most showy home screen. They worked their way into the BlackCat operation via their affiliate operation. However, BlackCat rebooted a few days later, made an appearance, and went back underground. As Bleeping Computer predicted then, BlackCat is apparently back and, adding insult, not even under a new name. 

Bleeping Computer today reported that BlackCat’s hack went through a critical ConnectWise ScreenConnect auth bypass flaw (CVE-2024-1708 and 1709) which was actively exploited in attacks to deploy ransomware on unpatched servers. This was confirmed by Reuters and Health-ISAC, a healthcare-focused organization engaged in cyber best practices and threat intelligence, via the American Hospital Association’s AHA Cybersecurity Advisory today (26 Feb). AHA is advising healthcare organizations to actively reevaluate their connection or disconnection status of Change Healthcare systems which have been deemed safe by Optum.

As of today, BlackCat did not claim credit for taking down Change’s systems nor is there any report of a ransom demand. It is perhaps too early to determine if there has been any data theft. Nor are there reports of other healthcare or other organizations being attacked through the ScreenConnect flaw.

Optum has a page detailing the status of Change Healthcare’s individual systems here. Optum has a statement that has remained nearly the same on issues with connectivity since last Wednesday.* This Editor’s experience of the page is that it needs refreshing to view the full version. Regarding the systems, they are a long list to scroll through and your Editor lost count after 100. Most have red Xs by them. Some systems are checked green. Change is also holding Zoom calls to update partners. Reuters reported that Alphabet’s cybersecurity unit Mandiant is in charge of investigating the attack.

Change Healthcare processes 15 billion healthcare claims annually. This attack seems to have hit their pharmacy software the hardest. These software tools are used to verify patient eligibility for specific medication and also their insurance coverage. The outage not only covers the big chains like CVS and Walgreens, but also Tricare and the Military Health System (MHS) globally. TTA 22 Feb, updated 23 Feb.

A Friday report in SC Magazine indicated that the malware used by BlackCat was a strain of LockBit malware going through the ConnectWise ScreenConnect bypass flaw. Their source, Toby Goucker, chief security officer at First Health Advisory, stated that their firm found the ScreenConnect flaws and sent out a notification on 19 February. Goucker noted that bad actors prey on the gap between when these vulnerabilities are uncovered and announced, but before when patches are applied. However, Goucker was not able to confirm that Change uses ScreenConnect.

Ironically, the LockBit ransomwareistes were busted only last week by a combined UK NCA and US DOJ/FBI effort. Like weeds, they never go away entirely.

Oddly, Change Healthcare’s website home page does not have a notice about their problem or direct to a page on their or UHG’s site about it for assistance. We know you’re busy, guys, but from this Editor’s marketing perspective not having an information banner and redirect to the Optum page is a basic communication failure.

**This is a developing story and will be updated.**

*Update 27 Feb 9am Eastern Time.

A repeat of Optum’s boilerplate statement on their page today indicates this cyberattack is still unresolved for most of Change Healthcare–and will remain unresolved at least through today:

Update – Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, and in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact. This action was taken so our customers and partners do not need to. We have a high-level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue.

We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online. We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.
Feb 272024 – 09:03 EST

Identical message 28 Feb 10:48am ET indicating that the effects of this attack are now one week old.

Updated 28 Feb: DataBreaches.net (“The Office of Inadequate Security”) reports that BlackCat is taking credit for it.

“BlackCat informed DataBreaches that yes, they are responsible for the attack. DataBreaches has asked them if they are willing to share any additional details and will update this post if any are received.”

This Editor is also following coverage in the usually reliable The Register which added a reply they obtained from Optum: “Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need. We also continue to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on this attack against Change Healthcare’s systems.” They are not confirming the perpetrators. 

#2 update from DataBreaches may point to Change Healthcare as well as healthcare in general. Here is part of a Cybersecurity Advisory (CSA) that is an ongoing #StopRansomware effort by the Cybersecurity and Infrastructure Security Agency (CISA). CISA was joined by the FBI and interestingly, the Department of Health and Human Services (HHS). They “are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.” The addition of HHS as well as February 2024 should be noted. “FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.” Could this be behind what is going on at Change Healthcare–a BlackCat full-court press versus US healthcare?

And at least one major hospital CEO wants answers now. Tampa General Hospital CEO John Couris went up to Optum’s CEO Amar Desai in the speaker room at the ViVE conference in Los Angeles on Monday, and the answer was far less than satisfactory. “And his answer to me was, ‘We’ll have an update in two days.’ So I don’t think he knows.” Mr. Couris’ speculates that Change Healthcare will 1) not pay ransom and 2) will rebuild its systems in maybe four weeks–and how that puts hospitals like his that use Change as a clearing house for claims in, to put it mildly, a pickle. MedCityNews

Mid-week roundup: Cotiviti’s $10.5B stake to KKR; Cigna buys back $3.2B shares; VA Oracle Cerner faulty med records; LockBit ransomware websites cold-busted at every level, principals indicted; Trualta partners with PointClickCare

Investor KKR announced their buy of a $10.5 billion stake in healthcare analytics Cotiviti. The stake comes from Veritas Capital, creating an equal share of ownership. The recapitalization will be used for commercial expansion, new product development, and technology-related opportunities. It is expected to close subject to regulatory approvals in Q2 this year. According to Axios and Bloomberg, it is financed by a $5 billion leveraged loan sale launched last week, with a $4.4 billion floating rate term loan led by JPM and a $600 million fixed rate term loan led by Goldman Sachs. This is Veritas’ second attempt to exit. While money is leaking back into private equity deals, the new trend is to finance them with more cash than debt. Cotiviti release

Cigna, having sold off its Medicare Advantage plans for $3.7 million to HCSC, is repurchasing $3.2 billion in stock (7.6 million shares) through agreements with Deutsche Bank and Bank of America. Cigna’s plan remains to repurchase $5 billion of common stock over H1 2024 after ending merger talks with Humana. FierceHealthcare, Cigna release

VA warned about faulty medication records in the Oracle Cerner Millenium EHR. The culprit is in the Health Data Repository, according to a government watchdog. David Case, deputy inspector general for the VA, reported at a House Veterans Affairs Committee Technology Modernization Subcommittee meeting last week, that while VA had no reports of harmful drug interactions, Case had at least one instance of a veteran not given a critical medication for adrenal insufficiency, leading to a near-disastrous outcome. The VA has also not informed the 250,000 veterans with prescription records in the Oracle Cerner system that the records may have errors.. In the VA facilities that have Oracle Cerner, providers, pharmacists, and frontline staff must perform complex manual medication safety checks to replace automated checks.

The Oracle Cerner rollout has been put on hold till summer this year–maybe [TTA 1 Nov 23]. At this hearing, Mike Sicilia of Oracle did show up and attributed the problems in the HDR to multiple systems being involved from VistA and other EHRs, into Oracle Cerner. However, after 10 separate fixes, the most recent software update had a similar data issue during final testing and was quickly pulled. Military.com

A victory versus ransomware. Updated. The LockBit ransomware group has been cold-busted “at every level” by the UK, US, and international law enforcement. According to the Department of Justice release and other sources, the UK’s National Crime Agency’s (NCA) Cyber Division led Operation Cronos, working in cooperation with the Justice Department, Federal Bureau of Investigation (FBI), and other law enforcement agencies worldwide. They seized numerous public-facing websites and domains used by LockBit to connect to the organization’s infrastructure along with servers used by LockBit administrators. Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, were indicted in the US District Court of New Jersey in Newark, charged with deploying LockBit against numerous victims throughout the United States. Sungatov was also indicted in the Northern District of California. According to Europol, “Two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. The French and US judicial authorities have also issued three international arrest warrants and five indictments.” LockBit’s ‘heart’ is of course in Russia, where nearly all cybercrime is located–they are free to operate there as long as they don’t target anything in RU. Cybernews

Trualta partners with PointClickCare for family caregiver education and support. PointClickCare is a leading EHR for long-term and post-acute care (LTPAC) providers. Trualta provides educational resources to support family caregivers when a patient is discharged through logging in to the resource site, with the ability to access articles, videos, and modules that cover a variety of care topics including preparing for discharge, transitioning from hospital to home, and life after discharge.  Trualta’s information will be offered through PointClickCare’s Marketplace. A recent study by Trualta of caregivers using their materials found that 30 days of Trualta use can decrease annual unexpected hospital visits among care recipients by 20%. Trualta release