UnitedHealth Group recently announced that an associated technological unit (Change Healthcare) faced a cyberattack from the Blackcat ransomware group. The attack caused disruptions to insurance transactions and electronic pharmacy refills. As a result, the American Hospital Association has advised that healthcare entities remain vigilant and monitor for signs of risk. 

Security leaders weigh in:

Ariel Parnes, COO and Co-Founder at Mitiga:

“In the fight against cybercrime, the state holds a critical position, employing national capabilities like intelligence, law enforcement, and international collaboration to shield against digital threats. Recently, we have seen the use of offensive cyber tactics as part of the arsenal, aiming to damage criminals' cyber capabilities and prevent their criminal activities. This method was highlighted in the disruption of the BlackCat ransomware by the FBI, which unfortunately led to the group intensifying their operations, as shown in their recent attack on UnitedHealth's tech unit.

“These cybercrime groups are resilient, often lacking a central vulnerability, which allows them to swiftly recover from attacks. Despite this, the emergence of such action-reaction dynamics in cyber confrontations should not dissuade nations from utilizing their defensive capabilities. A more effective approach involves a multidimensional, international campaign. This strategy should integrate offensive cyber countermeasures with traditional tools of national power, fostering a collective defense against cyber threats. Emphasizing cooperation and comprehensive efforts, this approach is pivotal for a robust defense against the evolving landscape of cybercrime.”

Nic Finn, Senior Threat Intelligence Consultant at GuidePoint Security:

“Following December’s law enforcement disruption of their data leak site, Alphv, also known as BlackCat, has vowed increasingly aggressive actions and removed ostensible restrictions on targeting critical infrastructure and healthcare.

“While Alphv may have notionally prohibited targeting such organizations in the past, the group has been actively attacking healthcare organizations for a while now, with several large healthcare providers and networks impacted in 2023. Of the attacks impacting healthcare we observed in 2023, Alphv was responsible for nearly 10%, second only to LockBit.

“While we have seen several healthcare organizations impacted by Alphv in 2024, it remains to be seen whether this is an intentional increase representative of deliberate targeting or just continued operations as usual, pursuing vulnerable targets of opportunity and exploiting frequent weaknesses in health organization networks. Healthcare organizations make attractive targets for ransomware groups due to the sensitivity and value of Personal Identifiable Information and Protected Health Information, which both increase extortive leverage over victims and the value of data for sale to other actors should the victim not pay.

“More than perhaps any other group, Alphv has exhibited a particularly aggressive approach to public statements, routinely ridiculing victims and their associated incident responders and calling out alleged security shortcomings, which is likely intended as much as a coercive lever and ‘final warning’ to the victims as it is a signal to future victims of the consequences of non-compliance.”

Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber:

“The BlackCat group claimed Change Healthcare as a victim, and the company confirmed that cybercriminal actors are behind a recent cybersecurity incident, changing course from a previous statement that blamed nation-state hackers for the attack.

“U.S. authorities announced they disrupted BlackCat’s operations late last year, but the group has recently returned to claiming attacks against new victims. A confirmed attack against a major healthcare organization would be the strongest indication that the ransomware group has resumed its activities.

“BlackCat was the second most active ransomware gang in terms of claimed victims last year, threatening organizations in virtually every primary sector. December’s disruption operation may have temporarily or partially changed the group’s operational ability, but defenders across the community should note a confirmed return.”