Change Healthcare, a critical healthcare technology provider, fell victim to a devastating ransomware attack in early 2024, orchestrated by an affiliate of the **AlphV/BlackCat** gang. The breach disrupted pharmacy operations, billing systems, and claims processing nationwide, crippling healthcare providers' ability to process payments, verify insurance, or access patient records. The attack forced hospitals and pharmacies to revert to manual processes, delaying treatments, prescriptions, and financial transactions for weeks. The threat actor later pivoted to **RansomHub** after AlphV’s takedown by law enforcement, attempting to monetize the stolen data through multiple leak sites. The incident exposed deep vulnerabilities in healthcare cybersecurity, with reports suggesting the attacker exploited unpatched systems or compromised credentials. The financial and operational fallout was severe: Change Healthcare’s parent company, **UnitedHealth Group**, faced billions in recovery costs, lawsuits, and regulatory scrutiny. The attack also triggered a broader crisis, with smaller clinics and pharmacies facing cash flow shortages, underscoring how ransomware can paralyze critical infrastructure and endanger patient care.
Source: https://therecord.media/ransomware-gang-takedown-proliferation
TPRM report: https://www.rankiteo.com/company/change-healthcare
"id": "cha630082925",
"linkid": "change-healthcare",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'United States',
'name': 'Change Healthcare',
'type': 'Healthcare Technology'},
{'location': 'Global',
'name': 'Multiple unnamed victims of 60+ active '
'ransomware gangs',
'type': ['Corporations',
'Government Agencies',
'Critical Infrastructure']}],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes healthcare and '
'financial data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Healthcare records',
'Financial data',
'Corporate secrets']},
'date_publicly_disclosed': '2025-06-30',
'description': 'The ransomware ecosystem has seen a significant splintering, '
'with a surge in new gangs emerging following law enforcement '
'takedowns of major operations like LockBit, BlackCat/AlphV, '
'and Hive. Between July 2024 and June 2025, MalwareBytes '
'tracked 41 new ransomware groups, bringing the total to over '
'60 active gangs—the highest number recorded. The '
'fragmentation is driven by factors such as leaked ransomware '
'source code (e.g., SafePay sharing code with LockBit), '
'distrust among affiliates, and the commoditization of malware '
'tools. Law enforcement successes have disrupted large RaaS '
'(Ransomware-as-a-Service) operations but failed to secure '
'arrests, allowing threat actors to rebrand or form new '
'groups. The top-10 most active groups now account for only '
'50% of attacks (down from 69% in 2022), reflecting '
'decentralization. Infighting, exit scams, and cross-group '
'data leaks (e.g., Change Healthcare attack data offered via '
"RansomHub after AlphV's takedown) highlight the volatile and "
'distrustful state of the ecosystem. Experts note that the '
'barrier to entry has lowered due to AI, leaked tools, and '
'initial access brokers, enabling smaller, entrepreneurial '
'groups to operate independently.',
'impact': {'brand_reputation_impact': 'Erosion of trust in cybercriminal '
'underground; infighting among gangs',
'data_compromised': 'Widespread (varies by group; e.g., Change '
'Healthcare data leaked via multiple gangs)',
'identity_theft_risk': 'High (due to leaked PII from attacks like '
'Change Healthcare)',
'operational_impact': 'Increased volatility in ransomware '
'operations; decentralization of attack '
'sources',
'payment_information_risk': 'High (ransomware groups target '
'financial and healthcare sectors)'},
'initial_access_broker': {'backdoors_established': True,
'data_sold_on_dark_web': True,
'entry_point': ['VPN exploits',
'Phishing',
'Stolen credentials',
'Unpatched vulnerabilities'],
'high_value_targets': ['Healthcare (e.g., Change '
'Healthcare)',
'Financial institutions',
'Critical infrastructure']},
'investigation_status': 'Ongoing (tracked by cybersecurity firms and law '
'enforcement)',
'lessons_learned': ['Law enforcement takedowns disrupt but do not eliminate '
'threat actors, who rebrand or form new groups.',
'Leaked ransomware code and commoditized tools lower the '
'barrier to entry for new gangs.',
'Distrust and infighting among affiliates weaken large '
'RaaS operations, leading to fragmentation.',
'Initial access brokers and open-source tools enable '
'smaller, independent ransomware operations.',
'Volatility in the ransomware ecosystem requires adaptive '
'defense strategies.'],
'motivation': ['Financial gain',
'Avoidance of law enforcement scrutiny',
'Distrust in centralized RaaS operations',
'Exploitation of leaked ransomware code',
'Entrepreneurial independence'],
'post_incident_analysis': {'corrective_actions': ['Targeted arrests of threat '
'actors, not just '
'infrastructure disruption',
'Dark web monitoring for '
'leaked code and initial '
'access sales',
'Public-private '
'partnerships to share '
'threat intelligence',
'Adaptive defenses against '
'fragmented, smaller '
'ransomware groups'],
'root_causes': ['Law enforcement takedowns '
'scattering affiliates without '
'arrests',
'Leaked ransomware source code '
'(e.g., LockBit, Conti)',
'Commoditization of malware tools '
'and AI lowering entry barriers',
'Distrust among affiliates due to '
'infiltrations (e.g., LockBit, '
'Hive)',
'Financial disputes and '
'underpayment in large RaaS '
'groups']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['SafePay (LockBit-derived)',
'Qilin',
'Akira',
'RansomHub',
'Other rebranded/leaked-code variants']},
'recommendations': ['Enhance international cooperation to track and arrest '
'threat actors, not just disrupt infrastructure.',
'Monitor dark web forums for leaked ransomware code and '
'initial access broker activities.',
'Implement proactive threat hunting for emerging '
'ransomware strains derived from leaked codebases (e.g., '
'LockBit, Conti).',
'Strengthen defenses against initial access vectors '
'(e.g., VPN exploits, phishing).',
'Prepare for decentralized attacks from smaller, '
'entrepreneurial ransomware groups.'],
'references': [{'date_accessed': '2025-06-30',
'source': 'MalwareBytes',
'url': 'https://www.malwarebytes.com'},
{'date_accessed': '2025-06-30',
'source': 'Flashpoint',
'url': 'https://www.flashpoint.io'},
{'date_accessed': '2025-06-30',
'source': 'Recorded Future (The Record)',
'url': 'https://therecord.media'},
{'date_accessed': '2025-06-30',
'source': 'Trellix',
'url': 'https://www.trellix.com'}],
'regulatory_compliance': {'legal_actions': ['International Ransomware Task '
'Force operations',
'Infrastructure seizures']},
'response': {'communication_strategy': ['Public reports by cybersecurity '
'firms',
'Media coverage of gang '
'fragmentation'],
'containment_measures': ['Infrastructure disruption (e.g., '
'LockBit takedown)',
'International Ransomware Task Force '
'operations'],
'incident_response_plan_activated': 'Law enforcement takedowns '
'(e.g., LockBit, AlphV, '
'Hive)',
'law_enforcement_notified': True,
'third_party_assistance': ['MalwareBytes',
'Flashpoint',
'Recorded Future',
'Trellix']},
'threat_actor': ['Splintered LockBit affiliates',
'Rebranded AlphV/BlackCat members',
'New entrepreneurial ransomware groups (e.g., SafePay, '
'Qilin, Akira, RansomHub)',
'Initial Access Brokers (IABs)',
'Former Conti/REvil affiliates'],
'title': 'Fragmentation and Proliferation of Ransomware Gangs (2024–2025)',
'type': ['Ransomware Proliferation',
'Cybercriminal Ecosystem Fragmentation',
'RaaS Evolution']}