Select Page
Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

For months, Change Healthcare has faced an immensely messy, months-long ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.

Last month, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment—evidence, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very likely caved to its tormentors’ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a different ransomware group claims to be holding Change Healthcare’s stolen data and is demanding a payment of their own.

Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.

RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.

While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.

Change Healthcare didn’t immediately respond to WIRED’s request for comment on RansomHub’s extortion demand.

Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. “I obviously don’t know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the data shared by RansomHub.

Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”

If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.

How a Right-Wing Controversy Could Sabotage US Election Security

How a Right-Wing Controversy Could Sabotage US Election Security

It remains unclear how many of Warner’s colleagues agree with him. But when WIRED surveyed the other 23 Republican secretaries who oversee elections in their states, several of them said they would continue working with CISA.

“The agency has been beneficial to our office by providing information and resources as it pertains to cybersecurity,” says JoDonn Chaney, a spokesperson for Missouri’s Jay Ashcroft.

South Dakota’s Monae Johnson says her office “has a good relationship with its CISA partners and plans to maintain the partnership.”

But others who praised CISA’s support also sounded notes of caution.

Idaho’s Phil McGrane says CISA is doing “critical work … to protect us from foreign cyber threats.” But he also tells WIRED that the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), a public-private collaboration group that he helps oversee, “is actively reviewing past efforts regarding mis/disinformation” to determine “what aligns best” with CISA’s mission.

Mississippi’s Michael Watson says that “statements following the 2020 election and some internal confidence issues we’ve since had to navigate have caused concern.” As federal and state officials gear up for this year’s elections, he adds, “my hope is CISA will act as a nonpartisan organization and stick to the facts.”

CISA’s relationships with Republican secretaries are “not as strong as they’ve been before,” says John Merrill, who served as Alabama’s secretary of state from 2015 to 2023. In part, Merrill says, that’s because of pressure from the GOP base. “Too many conservative Republican secretaries are not just concerned about how the interaction with those federal agencies is going, but also about how it’s perceived … by their constituents.”

Free Help at Risk

CISA’s defenders say the agency does critical work to help underfunded state and local officials confront cyber and physical threats to election systems.

The agency’s career civil servants and political leaders “have been outstanding” during both the Trump and Biden administrations, says Minnesota secretary of state Steve Simon, a Democrat.

Others specifically praised CISA’s coordination with tech companies to fight misinformation, arguing that officials only highlighted false claims and never ordered companies to delete posts.

“They’re just making folks aware of threats,” says Arizona’s Democratic secretary of state, Adrian Fontes. The real “bad actors,” he says, are the people who “want the election denialists and the rumor-mongers to run amok and just spread out whatever lies they want.”

If Republican officials begin disengaging from CISA, their states will lose critical security protections and resources. CISA sponsors the EI-ISAC, which shares information about threats and best practices for thwarting them; provides free services like scanning election offices’ networks for vulnerabilities, monitoring those networks for intrusions and reviewing local governments’ contingency plans; and convenes exercises to test election officials’ responses to crises.

“For GOP election officials to back away from [CISA] would be like a medical patient refusing to accept free wellness assessments, check-ups, and optional prescriptions from one of the world’s greatest medical centers,” says Eddie Perez, a former director for civic integrity at Twitter and a board member at the OSET Institute, a nonprofit group advocating for improved election technology.

Anne Neuberger, a Top White House Cyber Official, Is Staying Surprisingly Optimistic

Anne Neuberger, a Top White House Cyber Official, Is Staying Surprisingly Optimistic

The fact that in 2023 we’re rolling out mandated minimum cybersecurity practices for the first time in critical infrastructure—we’re one of the last countries to do that.

Building in the red-teaming, the testing, the human-in-the-loop before those models are deployed is a core lesson learned from cybersecurity that we want to make in the AI space.

In the AI executive order, regulators were tasked to determine where their existing regulations—let’s say for safety—already account for the risks around AI, and where are there deltas? Those first risk assessments have come in, and we’re going to use those both to inform the Hill’s work and also to think about how we roll those into the same cybersecurity minimum practices that we just talked about that regulators are doing.

Where are you starting to see threat actors actually use AI in attacks on the US? Are there places where you’re seeing this technology already being deployed by threat actors?

We mentioned voice cloning and deepfakes. We can say we’re seeing some criminal actors—or some countries—experimenting. You saw FraudGPT that ostensibly advances criminal use cases. That’s about all we can say we’re releasing right now.

You have been more engaged recently on autonomous vehicles. What’s drawn your interest there?

There’s a whole host of risks that we have to look at, the data that’s collected, patching—bulk patches, should we have checks to ensure they’re safe before millions of cars get a software patch? The administration is working on an effort that probably will include both some requests for input as well as assessing the need for new standards. Then we’re looking very likely in the near term to come up with a plan to test those standards, ideally in partnership with our European allies. This is something we both care about, and it’s another example of “Let’s get ahead of it.”

You already see with AVs large amounts of data being collected. We’ve seen a few states, for example, that have given approval for Chinese car models to drive around and collect. We’re taking a look at that and thinking, “Hold on a second, maybe before we allow this kind of data collection that can potentially be around military bases, around sensitive sites, we want to really take a look at that more carefully.” We’re interested both from the perspective of what data is being collected, what are we comfortable being collected, as well as what new standards are needed to ensure American cars and foreign-made cars are built safely. Cars used to be hardware, and they’ve shifted to including a great deal of software, and we need to reboot how we think about security and long-term safety.

You’ve also been working a lot on spectrum—you had a big gathering about 6G standards last year. Where do you see that work going, and what are the next steps?

First, I would say there’s a domestic and an international part. It comes from a foundational belief that wireless telecommunications is core to our economic growth—it’s both manufacturing robotics in a smart manufacturing factory, and then I just went to CES and John Deere was showing their smart tractors, where they use connectivity to adjust irrigation based on the weather. On the CES floor, they noted that integrating AI in agriculture requires changes to US policies on spectrum. I said, “I don’t understand, America’s broadband plan deploys to rural sites.” He said, “Yeah, you’re deploying to the farm, but there’s acres and acres of fields that have no connectivity. How are we going to do this stuff?” I hadn’t expected to get pinged on spectrum there, on the floor talking about tractors. But it shows how it’s core to what we want to do—this huge promise of drones monitoring electricity infrastructure after storms and determining lines are down to make maintenance far more efficient, all of that needs connectivity.

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

Microsoft and Hewlett-Packard Enterprise (HPE) both recently disclosed that they suffered corporate email breaches at the hands of Russia’s “Midnight Blizzard” hackers.

The group, which is tied to the Kremlin’s SVR foreign intelligence, is specifically linked to SVR’s APT 29 Cozy Bear, the gang that meddled in the United States 2016 presidential election, has conducted aggressive government and corporate espionage around the world for years, and was behind the infamous 2021 SolarWinds supply chain attack. While both HP’s and Microsoft’s breaches came to light within days of each other, the situation mainly illustrates the ongoing reality of Midnight Blizzard’s international espionage activities and the lengths it will go to to find weaknesses in organizations’ digital defenses.

“We shouldn’t be surprised that Russian intelligence-backed threat actors, and SVR in particular, are targeting tech companies like Microsoft and HPE. With organizations that size, it would be a much bigger surprise to learn they weren’t,” says Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security.

HP Enterprise said in a US Securities and Exchange Commission submission posted on Wednesday that Midnight Blizzard gained access to its “cloud-based email environment” last year. The company first learned about the situation on December 12, 2023, but said that the attack began in May 2023. Hackers “accessed and exfiltrated data … from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company wrote in the SEC filing. HP Enterprise said the breach likely came about as the result of another incident, discovered in June 2023, in which Midnight Blizzard also accessed and exfiltrated company “SharePoint” files beginning as early as May 2023. SharePoint is a much-targeted cloud collaboration platform made by Microsoft that integrates with Microsoft 365.

“The accessed data is limited to information contained in the HPE users’ email boxes,” HP Enterprise spokesperson Adam Bauer told WIRED in a statement. “We continue to investigate and analyze these mailboxes to identify information that could have been accessed and will make appropriate notifications as required.”

Meanwhile, Microsoft said on Friday that it detected a system intrusion on January 12 tied to a November 2023 breach. The attackers targeted and compromised some historic Microsoft system test accounts that then allowed them to access “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there the group was able to exfiltrate “some emails and attached documents.” Microsoft noted in its disclosure that the attackers appeared to be seeking information about Microsoft’s investigations and knowledge of Midnight Blizzard itself.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company wrote in its disclosure. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

“EBay’s actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication Volkskrant claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.