threatintel
actor tracker
Named attack · kill-chain walkthrough

Change Healthcare Ransomware

ALPHV's $22M exit-scam and the longest US healthcare outage in modern memory

ALPHV/BlackCat ransomware-as-a-serviceFebruary 12 – March 2024 (initial access through detonation); recovery into Q3 2024Moderate confidence

Attributed to an ALPHV/BlackCat affiliate later identified on the RAMP cybercrime forum as 'Notchy'. ALPHV/BlackCat is a Russian-language ransomware-as-a-service (RaaS) operation. After receiving the ransom, ALPHV's core operators exit-scammed their own affiliate, shut down infrastructure, and falsely claimed an FBI seizure. The data subsequently appeared in the hands of RansomHub, which re-extorted UHG in April 2024. No criminal charges unsealed as of the knowledge cutoff.

On February 12, 2024, an ALPHV/BlackCat affiliate authenticated to Change Healthcare's Citrix remote-access portal using stolen credentials — no multi-factor authentication was required. Over nine days the affiliate moved laterally, harvested credentials, and exfiltrated an estimated 6 TB of protected health information before detonating ransomware on February 21. Change Healthcare — which routes roughly one-third of all U.S. healthcare claims — took systems offline immediately, triggering the longest and most consequential healthcare-IT outage in modern U.S. history. Pharmacies could not fill prescriptions, hospitals could not bill, and thousands of smaller providers ran out of cash within weeks. UnitedHealth Group (UHG) paid approximately $22 million in Bitcoin to ALPHV in early March 2024, whereupon ALPHV performed an exit scam — stealing the payment from its own affiliate 'Notchy', faking an FBI seizure, and going dark. RansomHub then surfaced in April 2024, claiming to hold the same data and threatening UHG again. UHG's October 2024 disclosure confirmed approximately 190 million individuals had PHI or PII exposed — the largest healthcare data breach in U.S. history.

scene 00 / 08
ALPHV affiliate"Notchy"stolen creds, dark webno MFAChange HealthcareCitrix portalvalid account · T1078Feb 12, 2024 — Witty testimonyALPHV / BlackCatRaaS operatorsG1016 · S0649Cobalt Strike C29-day dwell: Feb 12 → Feb 21PsExec · schtasks · net.exeT1059.001 · T1059.003 · T1053.0059 days undetectedno alerting triggeredWitty testimonyCredential DumpingLSASS memory · Active DirectorySMB lateral movement · domain spreadT1003.001 · T1021.002 · T1018lsass.exememory dumpChange HealthcarePHI / PII storesclaims · diagnoses · SSNsT1005 · T1560RClone~6 TB exfiltratedto attacker cloud storageT1567.002attackercloudALPHV ransomware detonatedFebruary 21, 2024 — 8-K filed Feb 22~1/3 of all US healthcare claims halted · 14B claims/year pipeline · T1486Windows + ESXi encrypted · S0649 (Rust-based)Pharmaciescan't process insuranceprescriptions unfillablePhysician Practicesbilling halted · cash crisis$3.3B UHG assistanceHospitalscan't verify coverageAHA: worst ever incidentUHG pays ransom~$22M BTC~350 BTC · Mar 2024on-chain (TRM Labs)ALPHV receives $22Mthen shuts down all infraexit scam — steals from Notchyfakes "FBI seizure" — Krebs Mar 2024Notchy (affiliate)gets nothingposts BTC tx on RAMPstill holds 6 TB PHI
  1. Phase 01 · Initial AccessTA0001

    Stolen credentials to a Citrix portal with no MFA — the entire attack rested on one missing control

    • UHG CEO Andrew Witty confirmed in written testimony to both the House Energy & Commerce Committee and the Senate Finance Committee on May 1, 2024: the attacker used stolen credentials to log into a Change Healthcare Citrix remote-access portal. The portal did not enforce multi-factor authentication.
    • The credentials were not obtained through a Change Healthcare breach — they appear to have been sourced from a prior credential theft or infostealer campaign, consistent with ALPHV affiliate tradecraft documented in CISA advisory AA24-080A.
    • ALPHV/BlackCat affiliates routinely purchase valid account credentials from initial-access brokers or harvest them via commodity infostealers; Citrix portals without MFA are a documented preferred entry point per CISA AA24-080A.
    • February 12, 2024 is the date UHG identified as the first unauthorized access based on forensic review; Witty's testimony explicitly named this date to Congress.
    • CISA advisory AA24-080A (updated March 2024) documents ALPHV/BlackCat's consistent use of valid accounts and external remote services as primary initial-access vectors across the healthcare sector.
    Techniques
    T1078 · Valid AccountsT1133 · External Remote Services
    Sources
  2. Phase 02 · Execution & PersistenceTA0002

    Cobalt Strike and living-off-the-land tools established a durable foothold during the nine-day dwell window

    • ALPHV/BlackCat affiliates standardly deploy Cobalt Strike beacons after initial access to establish interactive C2 channels; this was confirmed as part of the broader ALPHV affiliate playbook in CISA advisory AA24-080A.
    • The nine-day dwell window (February 12 to detonation on February 21) is consistent with hands-on-keyboard operations: discovery, credential harvesting, lateral movement, and data staging before encryption.
    • ALPHV affiliates use Windows native utilities (PsExec, wmic, net.exe, Task Scheduler) to move and maintain access — classified under MITRE TA0002/TA0003 as signed-binary proxy execution and scheduled task persistence.
    • UHG's forensic review, summarized in Witty's congressional testimony, confirmed the attacker maintained access across the nine-day window without triggering alerting that would have stopped the attack.
    Techniques
    T1059.001 · Command and Scripting Interpreter: PowerShellT1059.003 · Command and Scripting Interpreter: Windows Command ShellT1053.005 · Scheduled Task/Job: Scheduled TaskT1569.002 · System Services: Service Execution
    Sources
  3. Phase 03 · Credential Access & Lateral MovementTA0006

    Credential harvesting from memory and Active Directory let the affiliate traverse Change Healthcare's internal network

    • ALPHV affiliates routinely use credential dumping tools (including Mimikatz-equivalent functionality) targeting LSASS memory and Active Directory to harvest domain credentials, per CISA AA24-080A.
    • Harvested credentials enabled movement across Change Healthcare's IT network from the initial Citrix beachhead to data stores containing protected health information.
    • ALPHV/BlackCat affiliates have been documented using RClone and cloud storage staging prior to ransomware detonation — a two-step exfil-then-encrypt pattern that maximizes leverage (T1567.002).
    • The scale of lateral reach — sufficient to encrypt enough systems to halt all of Change Healthcare's claims-processing infrastructure — implies broad domain-level credential compromise.
    Techniques
    T1003.001 · OS Credential Dumping: LSASS MemoryT1021.002 · Remote Services: SMB/Windows Admin SharesT1078 · Valid AccountsT1018 · Remote System Discovery
    Sources
  4. Phase 04 · ExfiltrationTA0010

    ~6 TB of protected health information staged and exfiltrated to cloud storage before a single byte was encrypted

    • Reporting based on RansomHub's subsequent April 2024 extortion communication — in which the affiliate group claimed to possess 4 TB of data — and UHG's disclosure of approximately 6 TB exfiltrated, establishes the scale of the theft.
    • ALPHV affiliates use RClone — a legitimate command-line cloud-sync tool — to bulk-transfer data to attacker-controlled cloud storage buckets; this is documented in CISA AA24-080A as T1567.002.
    • The data reportedly included names, addresses, dates of birth, Social Security numbers, claims information, diagnoses, and health-insurance identifiers for an eventual 190 million individuals — the single largest healthcare data breach in U.S. history.
    • Exfiltration preceding encryption is a deliberate double-extortion pattern: ALPHV affiliates know that even if victims restore from backups, the threat of PHI publication creates independent compliance and reputational leverage under HIPAA.
    • UHG's October 2024 update to the OCR (Office for Civil Rights) breach notification confirmed approximately 190 million individuals affected — revised upward from an earlier estimate of ~100 million.
    Techniques
    T1567.002 · Exfiltration Over Web Service: Exfiltration to Cloud StorageT1560 · Archive Collected DataT1005 · Data from Local System
    Sources
  5. Phase 05 · Impact — Ransomware DetonationTA0040

    February 21 detonation halted ~one-third of all U.S. healthcare claims processing overnight

    • On February 21, 2024, ALPHV ransomware was detonated across Change Healthcare's infrastructure; UHG took systems offline immediately, confirmed in the SEC 8-K filed February 22, 2024.
    • Change Healthcare is the largest healthcare payment clearinghouse in the United States, processing approximately 14 billion claims transactions per year — roughly one-third of all U.S. healthcare claims, per UHG investor materials.
    • The outage immediately affected pharmacies (unable to process insurance for prescriptions), hospitals (unable to submit claims or verify coverage), and physician practices (unable to bill).
    • Smaller independent pharmacies and rural providers — lacking cash reserves to absorb a multi-week billing interruption — faced existential pressure within days; the American Hospital Association called it the most significant cybersecurity incident ever against U.S. healthcare.
    • ALPHV used its custom Rust-based ransomware variant (MITRE S0649), capable of encrypting both Windows and Linux/VMware ESXi hosts, to maximize infrastructure coverage.
    • UHG deployed emergency financial assistance — $3.3 billion in accelerated payments disbursed by Q1 2024 end — to prevent provider insolvency during the outage.
    Techniques
    T1486 · Data Encrypted for ImpactT1490 · Inhibit System RecoveryT1489 · Service Stop
    Sources
  6. Phase 06 · Ransom Payment & ALPHV Exit ScamTA0040

    UHG paid ~$22M in Bitcoin; ALPHV stole it from its own affiliate 'Notchy' and vanished

    • On-chain analysis reported by TRM Labs and others identified a ~350 BTC transfer (approximately $22 million at March 2024 prices) to a Bitcoin address controlled by ALPHV in early March 2024.
    • Andrew Witty testified that UHG made a ransom payment but declined to confirm the exact amount in his May 1, 2024 Congressional testimony, citing ongoing legal and law-enforcement matters.
    • Immediately after receiving the payment, ALPHV's core operators shut down their Tor administration panel, their public leak site, and all affiliate-facing infrastructure — an "exit scam" against their own RaaS affiliates.
    • The affiliate who conducted the Change Healthcare intrusion — posting on the Russian-language cybercrime forum RAMP under the handle 'Notchy' — publicly complained about the theft, sharing the Bitcoin transaction hash as proof that ALPHV had received and kept the full payment.
    • ALPHV simultaneously posted a message claiming the FBI had seized their infrastructure — a false flag designed to provide cover. The FBI denied the claim; Krebs on Security and multiple researchers quickly identified it as self-seizure.
    • This was ALPHV's second attempted exit; the group had previously restructured under 'BlackCat' after earlier affiliate disputes. The March 2024 exit is believed to be permanent.
    Techniques
    T1657 · Financial Theft
    Sources
  7. Phase 07 · RansomHub Re-ExtortionTA0040

    RansomHub surfaced in April 2024 threatening to publish 4 TB of Change Healthcare data — the same affiliate, a new gang

    • In April 2024, the RansomHub ransomware group — which emerged in early 2024 and is believed to recruit former ALPHV affiliates — posted a notice on its Tor leak site claiming to hold 4 TB of Change Healthcare data and threatening publication if UHG did not pay an additional ransom.
    • Security researchers and reporting by Krebs on Security assessed that RansomHub had obtained the data either directly from 'Notchy' (who still held the exfiltrated data despite ALPHV's exit scam) or through an arrangement with the original affiliate.
    • UHG declined to confirm whether it paid RansomHub. RansomHub ultimately published a portion of the data, according to reporting, though the full dataset was not publicly released.
    • The double-extortion-then-re-extortion sequence — pay one gang, get hit by another — illustrates the structural instability of RaaS ecosystems and the risk that ransom payment does not guarantee data non-disclosure.
    • HHS Office for Civil Rights (OCR) noted in its breach notification guidance that HIPAA-covered entities bear notification obligations regardless of whether ransom is paid or data is subsequently published.
    Techniques
    T1657 · Financial Theft
    Sources
  8. Phase 08 · Fallout & Systemic ImpactTA0040

    190M PHI records, Congressional hearings, MFA mandates, and the largest healthcare breach in U.S. history

    • UHG's October 2024 updated disclosure to HHS OCR confirmed approximately 190 million individuals had protected health information or PII exposed — surpassing the 2015 Anthem breach (~78.8M) as the largest healthcare data breach in U.S. history.
    • UHG reported total costs related to the Change Healthcare incident exceeding $3.3 billion in Q1 2024 alone (provider financial assistance, remediation, and business disruption), with further costs accruing through Q3 2024.
    • The Senate Finance Committee and House Energy & Commerce hearings (May 1, 2024) with CEO Andrew Witty marked rare C-suite congressional testimony on a ransomware attack, and were accompanied by letters from Senators Wyden and Warner calling for mandatory MFA and minimum cybersecurity standards for healthcare entities.
    • CISA advisory AA24-080A explicitly identified lack of MFA on internet-facing remote-access solutions (especially Citrix) as the primary control failure — and mandated federal agencies review their own Citrix deployments.
    • HHS proposed mandatory cybersecurity standards for HIPAA-covered entities in late 2024, directly citing the Change Healthcare incident as the catalyst — including required MFA and network segmentation.
    • Multiple class-action lawsuits were filed against UHG on behalf of affected patients and providers; state attorneys general in multiple states opened investigations.
    Techniques
    T1486 · Data Encrypted for ImpactT1657 · Financial Theft
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • ALPHV/BlackCat ransomware-as-a-service
Capability
  • T1078
  • T1133
  • T1059.001
  • T1059.003
  • T1053.005
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources