Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Change Healthcare's cyberattack casts a light into how cybercriminal groups work

ROB SCHMITZ, HOST:

The health care industry is still struggling to overcome a February cyberattack that hit the IT company, Change Healthcare. The group behind the attack is part of a professionalized ecosystem that profits off companies' digital security failings. NPR's Jenna McLaughlin reports.

JENNA MCLAUGHLIN, BYLINE: On Wednesday, February 21, a relatively unknown IT company called Change Healthcare announced it was the victim of a cyberattack. The group of hackers behind it, who go by the name BlackCat, demanded a ransom of $22 million to return the company's data. The hack was devastating. While Change Healthcare isn't a household name, it plays a central role in verifying and processing payments between insurance companies and providers.

Right now, according to a source with knowledge of the situation, the company is still struggling to bring basic functionalities back online. Publicly, Change Healthcare has said it hopes to start restoring those services next week. The response is ongoing, but the breach provides a window into how these criminal ransomware gangs operate. Ram Elboim, the CEO of cybersecurity company Sygnia, has tracked BlackCat for years. Here's how he describes them.

RAM ELBOIM: What makes them, I would say, unique is the viciousness, if we can call it, of the attacks.

MCLAUGHLIN: Elboim says BlackCat sells its malicious code to affiliates, taking a cut of the profits. They even provide human resources, a platform to negotiate payments with victims and a public leak site. The criminal ecosystem of ransomware continues to thrive. That's partially because these groups often live outside the reach of U.S. law enforcement. A senior administration official tells NPR that many of these hackers operate with impunity somewhere inside Russia. BlackCat

emerged out of the ashes of another group that might be familiar, called DarkSide. In May 2021, that group attacked Colonial Pipeline, leaving half the eastern seaboard without fuel for days. At that time, ransomware groups were at least publicly hesitant to target critical infrastructure. But all that seems to have changed in recent years. Here's how Steve Cagle, the CEO of the health care cyber security company Clearwater, described this shift in a briefing for the health care industry in early March.

(SOUNDBITE OF ARCHIVED RECORDING)

STEVE CAGLE: The other thing I'll mention about BlackCat is this is an organization that the FBI was able to, in some respects, enforce seizure of their sites. They reemerged. And we reported a couple of months ago they removed all restrictions against hospitals and, practically speaking, encourage their affiliates to go after hospitals and raise their commission rate to 90%.

MCLAUGHLIN: The FBI's annual Internet Crime Report confirms that health care and public health were the top sectors impacted by ransomware in 2023. As for BlackCat, they actually received that $22 million ransom, presumably from Change Healthcare or its parent company. The group then disappeared, though experts say its members are likely to rebrand and wreak havoc again.

Jenna McLaughlin, NPR News. Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Jenna McLaughlin
Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.