Change Healthcare and Federal Reserve: Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags

Change Healthcare and Federal Reserve: Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags

Ransomware’s Double Trouble: Why Victims Are Being Claimed Twice in 2026

In 2026, a troubling trend has emerged in the ransomware landscape: the same victim organizations are appearing on leak sites under two different ransomware group names. Bitdefender’s analysis of this phenomenon based on a curated dataset of 98 claims across 49 distinct victims from January to June 2026 reveals five key explanations for these duplicate postings, each with distinct implications for incident response.

The Mechanics Behind Duplicate Claims

The median gap between a victim’s first and second appearance on leak sites is 12 days, with a mean of 23 days and a maximum of 96 days. While five cases were posted simultaneously, most followed a staggered timeline, suggesting different underlying causes. The patterns also hint at structured relationships between groups such as Beast preceding Qilin or Devman preceding DragonForce rather than random overlaps.

1. One Attack, Two Group Names (Cartel Rebranding)

Some duplicate claims stem from a single breach posted by two brands within the same criminal network. For example, DragonForce absorbed affiliates from RansomHub after its shutdown, leading to the same victim appearing under both names. Similarly, Hunters International rebranded as World Leaks, carrying over infrastructure and extortion tactics. In these cases, the victim faces one incident, not two, but public statistics inflate the count.

2. Same Data, Second Extortion (Affiliate Churn)

A single breach can generate two extortion attempts if an unpaid affiliate reposts stolen data under a new group. The Change Healthcare case exemplifies this: an ALPHV/BlackCat affiliate allegedly resurfaced the same data via RansomHub after a payment dispute. The 1-to-30-day gap in many duplicate claims aligns with this model, where sequential postings indicate a handoff rather than simultaneous access sales.

3. Two Real Breaches (Repeat Victimization)

In 16 of the 49 cases, the gap between claims exceeded 31 days, suggesting two genuinely separate breaches. Often, this occurs when an organization fails to address systemic vulnerabilities such as weak identity controls, unpatched systems, or flat networks after the first attack. Access brokers may also resell compromised credentials, enabling multiple independent intrusions.

4. No Breach at All (Fabrication or Plagiarism)

Some claims are entirely fabricated. 0APT, a group that surfaced in early 2026, posted 549 victims in two months later revealed to be fake after a rival group, KryBit, leaked its logs. Similarly, LockBit falsely attributed Evolve Bank data to the Federal Reserve post-disruption, while Dispossessor simply reposted existing victim lists from Cl0p and Hunters International. These cases invert the problem: victims may have no breach to remediate, but false claims still trigger unnecessary disclosures.

The Statistical Impact of Noise

The prevalence of fabricated claims distorts ransomware metrics. In Q1 2026, raw leak-site data showed 3,014 victims a 15% increase from 2025. However, removing 0APT’s 549 fake claims reversed the trend, revealing a 6% decline. This underscores how one fraudulent group can flip the narrative from "ransomware surged" to "ransomware fell."

Key Takeaways for Defenders

  • Same-day or near-simultaneous claims often indicate cartel rebranding or shared access.
  • Days-to-weeks gaps suggest affiliate churn or re-extortion.
  • Months-long gaps point to repeat victimization due to unaddressed vulnerabilities.
  • No proof or recycled data signals fabrication verification is critical before responding.

The rise of duplicate claims complicates incident response, requiring defenders to distinguish between new intrusions, recycled access, and outright fraud to avoid misallocating resources or making flawed disclosure decisions.

Source: https://www.bitdefender.com/en-au/blog/businessinsights/claimed-twice-five-reasons-same-ransomware-victim-appears-under-two-flags

CHANGE HEALTHCARE TECHNOLOGIES, LLC cybersecurity rating report: https://www.rankiteo.com/company/change-healthcare-technologies-llc

Federal Reserve Bank of New York cybersecurity rating report: https://www.rankiteo.com/company/federal-reserve-bank-of-new-york

"id": "CHAFED1782133142",
"linkid": "change-healthcare-technologies-llc, federal-reserve-bank-of-new-york",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Healthcare', 'name': 'Change Healthcare'},
                       {'industry': 'Banking', 'name': 'Evolve Bank'},
                       {'type': 'Organization'}],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information',
                                              'Payment information']},
 'date_detected': '2026-01-01',
 'description': 'In 2026, a troubling trend has emerged in the ransomware '
                'landscape where the same victim organizations are appearing '
                'on leak sites under two different ransomware group names. '
                'Analysis of 98 claims across 49 distinct victims from January '
                'to June 2026 reveals five key explanations for these '
                'duplicate postings, each with distinct implications for '
                'incident response.',
 'impact': {'brand_reputation_impact': True,
            'data_compromised': True,
            'identity_theft_risk': True,
            'payment_information_risk': True},
 'initial_access_broker': {'data_sold_on_dark_web': True},
 'lessons_learned': 'The rise of duplicate claims complicates incident '
                    'response, requiring defenders to distinguish between new '
                    'intrusions, recycled access, and outright fraud to avoid '
                    'misallocating resources or making flawed disclosure '
                    'decisions.',
 'motivation': ['Financial gain', 'Extortion', 'Data theft'],
 'post_incident_analysis': {'root_causes': ['Weak identity controls',
                                            'Unpatched systems',
                                            'Flat networks',
                                            'Affiliate churn',
                                            'Cartel rebranding']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': ['Beast',
                                      'Qilin',
                                      'Devman',
                                      'DragonForce',
                                      'RansomHub',
                                      'Hunters International',
                                      'World Leaks',
                                      'ALPHV/BlackCat',
                                      '0APT',
                                      'LockBit',
                                      'Dispossessor',
                                      'Cl0p']},
 'recommendations': ['Same-day or near-simultaneous claims often indicate '
                     'cartel rebranding or shared access.',
                     'Days-to-weeks gaps suggest affiliate churn or '
                     're-extortion.',
                     'Months-long gaps point to repeat victimization due to '
                     'unaddressed vulnerabilities.',
                     'No proof or recycled data signals fabrication; '
                     'verification is critical before responding.'],
 'references': [{'source': 'Bitdefender'}],
 'threat_actor': ['Beast',
                  'Qilin',
                  'Devman',
                  'DragonForce',
                  'RansomHub',
                  'Hunters International',
                  'World Leaks',
                  'ALPHV/BlackCat',
                  'RansomHub',
                  '0APT',
                  'KryBit',
                  'LockBit',
                  'Dispossessor',
                  'Cl0p'],
 'title': 'Ransomware’s Double Trouble: Why Victims Are Being Claimed Twice in '
          '2026',
 'type': 'Ransomware',
 'vulnerability_exploited': ['weak identity controls',
                             'unpatched systems',
                             'flat networks']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.