4/30/24: Update added below about Change Healthcare Citrix credentials previously stolen by information-stealing malware.
UnitedHealth confirms that Change Healthcare’s network was breached by the BlackCat ransomware gang, who used stolen credentials to log into the company’s Citrix remote access service, which did not have multi-factor authentication enabled.
This was revealed in UnitedHealth CEO Andrew Witty’s written testimony published ahead of a House Energy and Commerce subcommittee hearing scheduled for tomorrow.
The ransomware attack on Change Healthcare occurred in late February 2024, leading to severe operational disruptions on Optum’s Change Healthcare platform.
This impacted a wide range of critical services used by healthcare providers across the U.S., including payment processing, prescription writing, and insurance claims, and caused financial damages estimated at $872 million.
Previously, the BlackCat ransomware gang claimed they had received a $22 million ransom payment from UnitedHealth, which was stolen from the affiliate who conducted the attack in an exit scam. Shortly after, the affiliate claimed to still have the data and partnered with RansomHub to initiate an additional extortion demand by leaking stolen data.
The healthcare org recently admitted that it paid a ransom to protect people’s data post-compromise, but no details about the attack or who carried it out were officially disclosed.
RansomHub has since removed the Change Healthcare entry from its site, indicating that an additional ransom was paid.
An easy break-in
In testimony by Andrew Witty, the CEO confirmed that the attack occurred on the morning of February 21 when the threat actors began encrypting systems and rendering them inaccessible to the organization’s employees.
For the first time, the company also officially confirmed BleepingComputer’s report that the ALPHV/BlackCat ransomware operation was behind the attack.
While the actual public-facing attack occurred on February 21, Witty revealed that the attacker had access to the company’s network for approximately ten days before deploying their encryptors. During this time, the threat actors spread through the network and stole corporate and patient data that would be used in their extortion attempts.
The investigations, which are still ongoing, revealed that the attackers first gained access to Change Healthcare’s Citrix portal on February 12, 2024, using stolen employee…
Click Here to Read the Full Original Article at BleepingComputer…