UnitedHealth Pays $22M To Ransomware Group Behind Change Healthcare Cyberattack: Reports

‘There’s proof of a large amount [of bitcoins] landing in the AlphV-controlled Bitcoin wallet,’ says Dmitry Smilyanets, product management director at security firm Recorded Future.

Following a devastating cyberattack on Change Healthcare last month, multiple reports are indicating that the medical firm paid the cybercriminals responsible $22 million in cryptocurrency to regain access to its systems.

The cybercriminal group known by the names Blackcat and AlphV has claimed responsibility for the massively disruptive ransomware attack against Change Healthcare, a unit of UnitedHealth Group’s Optum subsidiary.

CRN viewed screenshots taken by researchers on the social media platform X, formerly known as Twitter, including from Dmitry Smilyanets, product management director at security firm Recorded Future.

[Related: Cybercriminal Group Claims Responsibility For Change Healthcare Attack]

“There’s proof of a large amount [of bitcoins] landing in the AlphV-controlled Bitcoin wallet,” Smilyanets said on X. “And this affiliate connects this address to the attack on Change Healthcare. So it’s likely that the victim paid the ransom.”

Researchers from blockchain analysis company TRM Labs also verified the $22 million Bitcoin payment to the cybercriminals.

350 Bitcoins Sent To AlphV Address

On March 1, security researchers witnessed a bitcoin address affiliated with the AlphV and Blackcat ransomware group that received 350 bitcoins in a single transaction, which is around $22 million based on exchange rates.

A few days later, posts on the cybercriminal underground forum RAMP pointed to a $22 million transaction on Bitcoin’s blockchain that helped verify the ransomware payment, according to researchers.

When questioned about the alleged payment by CRN, a UnitedHealth spokesperson said, “We are focused on the investigation and restoring operations at Change.”

The company did not address the alleged bitcoin payment to the AlphV and Blackcat ransomware group.

The Change Healthcare Cyberattack

Last month, hackers crippled pharmacies and many hospitals across the country by gaining access to Change Healthcare, which led to delays in the delivery of prescription drugs.

The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare.

The attack has prevented some U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.

In a statement to CRN last week, UnitedHealth said it has seen “minimal reports” of patients being unable to access prescriptions.

In part this is because more than 90 percent of U.S.-based pharmacies are believed to use “modified electronic claim processing to mitigate impacts from the Change Healthcare cybersecurity issue,” UnitedHealth said.