ALPHV/BlackCat Ransomware

Definition

A sophisticated ransomware-as-a-service group known for pioneering triple extortion tactics, being the first major group to write ransomware in Rust, and conducting the February 2024 Change Healthcare attack that disrupted US healthcare payment processing for months and caused an estimated $872 million in losses to UnitedHealth Group.

Technical Details

ALPHV (known publicly as BlackCat) emerged in November 2021 as a successor to the DarkSide/BlackMatter ransomware operations. The group distinguished itself technically by writing their ransomware entirely in Rust — a memory-safe programming language that provided significant cross-platform capabilities (encrypting Windows, Linux, and VMware ESXi environments with the same codebase) and made analysis and reverse engineering more challenging. The Rust-based encryptor used ChaCha20 or AES for file encryption (configurable per deployment) with RSA-2048 asymmetric key protection. ALPHV pioneered the 'triple extortion' model: (1) encrypting victim data for operational disruption, (2) exfiltrating data and threatening public release on their leak site, and (3) directly contacting customers, regulators, or journalists about the breach to maximize pressure on the victim. The group operated a highly professional affiliate program with an 80-90% affiliate payment split and offered affiliates access to negotiation support and a dark web infrastructure. They also created a public-facing 'victim shaming' site and in some cases made stolen data searchable. The Change Healthcare attack in February 2024 was the most consequential healthcare ransomware attack in US history. ALPHV affiliates gained initial access via compromised credentials to Citrix remote access (without MFA), then moved laterally for approximately nine days before deploying ransomware. Change Healthcare processed roughly 15 billion healthcare transactions annually — representing about 40% of US healthcare claims. The disruption prevented pharmacies, hospitals, and medical practices from processing insurance claims for weeks to months, directly impacting patient care and creating cash flow crises for thousands of providers. UnitedHealth Group paid approximately $22 million in ransom. In a remarkably brazen turn, after receiving the ransom payment, the ALPHV affiliate who conducted the attack claimed that ALPHV exit-scammed them — taking the ransom payment without providing the promised data deletion or full decryption key. The affiliate then partnered with another group (RansomHub) to re-extort Change Healthcare with the same stolen data. ALPHV appeared to execute a deliberate 'exit scam' on their affiliates and then dissolved, with many migrating to RansomHub.

Practical Usage

The Change Healthcare attack provides the definitive case study for why MFA is non-negotiable on any remote access infrastructure. The attackers used stolen credentials to access a Citrix portal that lacked MFA — a control gap that enabled one of the costliest cyberattacks in US history. Every healthcare organization and critical infrastructure operator should treat this as a direct lesson: remote access without MFA is unacceptable regardless of convenience concerns or legacy system constraints. For healthcare sector security teams specifically, Change Healthcare demonstrated the catastrophic downstream impact of healthcare payment processor compromises. Third-party risk management programs must identify and assess 'single points of failure' — vendors whose compromise would materially disrupt the organization's ability to operate. Healthcare organizations should have contingency plans for operating without key third-party clearinghouse or payment processing vendors, including manual fallback procedures. From an incident response perspective, the ALPHV attack illustrates the challenge of negotiating with ransomware groups that may not honor commitments even after payment. Organizations should work with specialized ransomware negotiation firms and law enforcement before paying any ransom, understand that payment does not guarantee data deletion, and plan for continued extortion attempts using the same exfiltrated data even after an initial payment. The Change Healthcare situation — where the data was later used in a second extortion attempt — shows that paying one ransom does not resolve the underlying data exposure risk.

Examples

• The February 2024 Change Healthcare attack disrupted prescription processing at pharmacies nationwide for weeks, with some patients unable to obtain life-saving medications; UnitedHealth Group disclosed total losses exceeding $872 million in its 2024 annual report.
• ALPHV attacked MGM Resorts in September 2023 alongside Scattered Spider, causing an estimated $100+ million in losses and disrupting hotel operations, casino systems, and loyalty programs across MGM properties.
• After receiving a $22 million ransom from UnitedHealth Group, ALPHV allegedly exit-scammed the affiliate who conducted the Change Healthcare attack, keeping the funds and dissolving — prompting the affiliate to attempt re-extortion via RansomHub.

Related Terms