Who is Blackcat, the hacker group that has disrupted UnitedHealth and pharmacies everywhere?

For the past week-and-a-half, UnitedHealth’s Change Healthcare business has been undergoing a cyberattack, which has impacted the ability of some pharmacies to fill prescriptions in a timely manner. Now the company is finally addressing who the enemy is. The Blackcat ransomware group—which also goes by ALPHV or Noberus—has been identified as the party responsible for the hack, Change Healthcare confirmed Thursday. “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack,” the company said in a statement. “We are actively working to understand the impact to members, patients, and customers.” Change Healthcare provides prescription-processing services for pharmacies—and with the system down, some pharmacies have been unable to process prescriptions to insurance companies, which allows them to receive payments. The company now says it has “multiple workarounds to ensure people have access to the medications and the care they need.” Blackcat isn’t an unfamiliar name to law enforcement officials. The Justice Department mentioned the group last December, announcing officials had launched a disruption campaign against it. The FBI, it said, had “gained visibility into the Blackcat ransomware group’s computer network” as part of an ongoing investigation and seized several websites that the group operated. Over the past two years, Blackcat has established itself as the world’s second most prolific ransomware-as-a-service (RaaS) organization, taking hundreds of millions of dollars from victims. Multiple law enforcement agencies from a variety of countries around the world are conducting parallel investigations into the group. “The disruptions caused by the ransomware variant have affected U.S. critical infrastructure—including government facilities, emergency services, defense industrial-base companies, critical manufacturing, and healthcare and public health facilities—as well as other corporations, government entities, and schools,” the Justice Department wrote. RaaS is a model that has become popular among hackers in the past four years. Brokers sell or rent exploit kits or back doors into companies, allowing them to access user information, install malware, and assume control of system resources. Those brokers sell access for thousands of dollars and the ransomware attackers can demand many times that much from the victims. Change Healthcare had initially told the Securities and Exchange Commission (SEC) that it suspected a nation-state-associated bad actor could be behind the attack. Blackcat, however, is said to be a for-profit operation. It’s unknown at this point if UnitedHealth has ruled out the interference of another government. (Blackcat has denied that in a now-deleted social media post, but the honesty of a hacking collective is generally questionable.) Like many ransomware companies, Blackcat uses multiple forms of extortion in its attack. After it gains access, it takes sensitive data, then encrypts the system and demands a ransom to undo the locks it has set in place as well as agree not to publish the (typically sensitive) information it has obtained. Should the company not pay, the information is generally released on either the Dark Web or a leak website. Change Healthcare’s systems have been offline for 10 days now. The company has not signaled when they expect them to return. “We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems,” the company said. “If we suspect any issue with the system, we will immediately take action.”

Who is Blackcat, the hacker group that has disrupted UnitedHealth and pharmacies everywhere?

For the past week-and-a-half, UnitedHealth’s Change Healthcare business has been undergoing a cyberattack, which has impacted the ability of some pharmacies to fill prescriptions in a timely manner. Now the company is finally addressing who the enemy is.

The Blackcat ransomware group—which also goes by ALPHV or Noberus—has been identified as the party responsible for the hack, Change Healthcare confirmed Thursday.

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack,” the company said in a statement. “We are actively working to understand the impact to members, patients, and customers.”

Change Healthcare provides prescription-processing services for pharmacies—and with the system down, some pharmacies have been unable to process prescriptions to insurance companies, which allows them to receive payments. The company now says it has “multiple workarounds to ensure people have access to the medications and the care they need.”

Blackcat isn’t an unfamiliar name to law enforcement officials. The Justice Department mentioned the group last December, announcing officials had launched a disruption campaign against it. The FBI, it said, had “gained visibility into the Blackcat ransomware group’s computer network” as part of an ongoing investigation and seized several websites that the group operated.

Over the past two years, Blackcat has established itself as the world’s second most prolific ransomware-as-a-service (RaaS) organization, taking hundreds of millions of dollars from victims. Multiple law enforcement agencies from a variety of countries around the world are conducting parallel investigations into the group.

“The disruptions caused by the ransomware variant have affected U.S. critical infrastructure—including government facilities, emergency services, defense industrial-base companies, critical manufacturing, and healthcare and public health facilities—as well as other corporations, government entities, and schools,” the Justice Department wrote.

RaaS is a model that has become popular among hackers in the past four years. Brokers sell or rent exploit kits or back doors into companies, allowing them to access user information, install malware, and assume control of system resources. Those brokers sell access for thousands of dollars and the ransomware attackers can demand many times that much from the victims.

Change Healthcare had initially told the Securities and Exchange Commission (SEC) that it suspected a nation-state-associated bad actor could be behind the attack. Blackcat, however, is said to be a for-profit operation. It’s unknown at this point if UnitedHealth has ruled out the interference of another government. (Blackcat has denied that in a now-deleted social media post, but the honesty of a hacking collective is generally questionable.)

Like many ransomware companies, Blackcat uses multiple forms of extortion in its attack. After it gains access, it takes sensitive data, then encrypts the system and demands a ransom to undo the locks it has set in place as well as agree not to publish the (typically sensitive) information it has obtained.

Should the company not pay, the information is generally released on either the Dark Web or a leak website.

Change Healthcare’s systems have been offline for 10 days now. The company has not signaled when they expect them to return.

“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems,” the company said. “If we suspect any issue with the system, we will immediately take action.”