Security news that informs and inspires

U.S. Offers Reward For BlackCat Ransomware Group Intel


The U.S. government is looking for more information about the individuals affiliated with the BlackCat ransomware group, which was behind the Change Healthcare attack.

The U.S. government is pointing again to its $10 million reward offer in exchange for information leading to the identification or location of individuals linked to the BlackCat ransomware-as-a-service group, which was behind the recent cyberattack on Change Healthcare.

The State Department previously announced the reward in February, after saying in December that it had disrupted the group and created a decryption tool for existing victims. After this disruption, the group’s administrator encouraged affiliates to target hospitals, and CISA in February said that out of the 70 victims that had been leaked since December, the healthcare sector has been most commonly victimized. Then, the massive and impactful Change Healthcare ransomware attack in late February put BlackCat squarely back on the map. After the attack, Change’s parent company UnitedHealth attributed the attack to the group, and an affiliate later reportedly claimed responsibility.

In an effort to continue putting pressure on the ransomware actors, the State Department is reiterating its reward and encouraging anyone with information on the BlackCat actors - as well as their affiliates, activities or links to a foreign government - to reach out via the Rewards for Justice program.

“The ALPHV BlackCat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide, deploying ransomware on the targeted systems, disabling security features within the victim’s network, stealing sensitive confidential information, demanding payment to restore access, and threatening to publicize the stolen data if victims do not pay a ransom,” according to the State Department in a post on Wednesday. The post did not explicitly mention the Change Healthcare ransomware attack.

The ransomware attack against Change Healthcare first occurred a month ago, and after reportedly making a ransom payment of $22 million, the organization is still working to bring some of its systems back online. Over the course of the first few weeks of the attack, it had a wide-ranging impact on patients, healthcare providers and hospitals that rely on Change’s systems for filling prescriptions, submitting insurance claims and receiving payments. The attack has reduced the cash flow for hospitals and, most importantly, led to delays in providing patient care.

As of Wednesday, Change Healthcare said it doesn’t expect some of its products to be restored until April, including a system that enables prescriptions to be ordered, and one that supports customers in managing their payment contracts. Outside of these products, the company said it has restored its electronic payments platform and has restored 99 percent of its pharmacy network services.

Change Healthcare on Wednesday also said that it is continuing to investigate the extent of impacted data, particularly as the U.S. Department of Health and Human Services Office for Civil Rights recently announced it was opening an investigation into the incident and whether protected health data was compromised. Change said that its own investigation into the impacted data has been delayed because its systems, impacted by the attack, were difficult to access. However, the company said it recently obtained a dataset that was safe to access and analyze.

“We are prioritizing the review of data that we believe would likely have health information, personally identifiable information, claims and eligibility or financial information,” said Change Healthcare in a Wednesday update. “To process the impacted data as fast as possible, we have engaged a leading vendor that is analyzing it. To be clear, we are still determining the content of the data that was taken by the threat actor, including any PHI/PII.”

In the wake of the ongoing Change Healthcare attack, identifying the threat actors behind the attack is a priority for the U.S. government. Previously, the State Department has put out reward offers for other prolific ransomware actors across the threat landscape, including the Conti, DarkSide and REvil ransomware groups back in 2022. These rewards are offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), a program established in 2013 that gives the Secretary of State statutory the ability to offer rewards of up to $25 million for information leading to the arrest or conviction in any country of those participating in transnational organized crime.