Threat Research

ALPHV Ransomware: Analyzing the BlackCat After Change Healthcare Attack

Picussecurity
ALPHV Ransomware: Analyzing the BlackCat After Change Healthcare Attack

The ALPHV ransomware group, also known as BlackCat, has emerged as a significant threat by operating under a Ransomware-as-a-Service model. They caused a major healthcare data breach in February 2024, affecting over 100 million individuals when they attacked Change Healthcare, a subsidiary of UnitedHealth Group. The incident prompted UnitedHealth to pay a million ransom. This article explores the group’s tactics, techniques, and procedures. Affected: healthcare sector, UnitedHealth Group, Change Healthcare

Keypoints :

  • ALPHV/BlackCat operates under a Ransomware-as-a-Service model since November 2021.
  • In February 2024, they attacked Change Healthcare, causing the largest healthcare data breach in U.S. history.
  • Over 100 million personal records were compromised, including health insurance member IDs and Social Security numbers.
  • UnitedHealth Group paid a million ransom in response to the attack.
  • BlackCat uses advanced TTPs, including complex malware and open-source intelligence for initial access.
  • The group offers a lucrative profit-sharing model for affiliates, attracting more cybercriminals to use their ransomware.
  • Other major incidents attributed to BlackCat include attacks on Reddit and MGM Resorts.
  • The U.S. Department of State is offering rewards up to million for information on the group’s leaders.

MITRE Techniques :

  • Initial Access – T1598: Phishing for Information
  • Account Access Development – T1586: Manipulating employees to obtain network credentials.
  • Execution – T1059.003: Command and Scripting Interpreter used to execute malware.
  • Persistence – T1112: Modify Registry for network operations optimizations.
  • Privilege Escalation – T1134: Access Token Manipulation for gaining system privileges.
  • Valid Accounts – T1078: Use of stolen credentials in a JSON configuration.
  • Defense Evasion – T1562.001: Disabling system recovery and logging to hide activities.
  • Discovery – T1057: Enumerating processes to identify security software.
  • Impact – T1486: Data Encrypted for Impact with AES encryption.
  • Service Stop – T1489: Stopping critical services to disrupt operations.

Indicator of Compromise :

  • [SHA256] 847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456
  • [MD5] 00C3F790F6E329530A6473882007C3E5
  • [MD5] 08FCF90499526A0A41797F8FDD67D107
  • [SHA1] 1B2A30776DF64FBD7299BD588E21573891DCECBE
  • [SHA1] 1D345799307C9436698245E7383914B3A187F1EC

Full Story: https://www.picussecurity.com/resource/blog/alphv-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint