Washington Post

Hacking gang behind pharmacy chaos shuts down again. Will it matter?

ALPHV has vanished before, only to come back. Meanwhile, the hack continues to stymie the provision of medical care.

A notorious ransomware gang said Tuesday that it had shut down, but it left American prescription services in continued chaos after two weeks, showing the difficulty in trying to counter an enormous, shape$-$shifting criminal economy.

ALPHV, the gang blamed for the massive Feb. $21$ attack on UnitedHealth Group$$s Change Healthcare unit, took in a ransomware payment of $$22$ million before shutting down and will probably reemerge under a new name, as its core group has done before, analysts said.

Change Healthcare, which provides a critical link between insurance companies and medical providers, did not confirm or deny making the payment, while a hacker who claimed to have breached the company complained that ALPHV had not provided a promised share of the proceeds. The person posted on a criminal discussion forum that he still had the data on consumers as well as the decryption key Change would need to unlock the files on its network.

Officials rush to help hospitals, doctors affected by Change Healthcare hack

It was a fittingly unsatisfying end to one of the worst ransomware attacks on essential American infrastructure since the Colonial Pipeline hack almost three years ago: Change Healthcare is trying to recover, its business partners and helpless consumers are adrift, the criminals are at large, and the money that changed hands will probably fund more wrongdoing.

The cyclical churn of ransomware gangs frustrates law enforcement agencies, cyberdefense officials and private researchers who have worked together for years to battle the many$-$headed Hydra of organized cybercrime.

By many measures, the defenders are winning more fights than ever before. There have been significant arrests in some countries, and the authorities have disrupted gangs by hacking their servers and snooping on their conversations. They have broken up not just some of the groups but also the underground marketplaces and electronic fund $$mixers$$ that obfuscate the money trail.

$2023$ was a banner year for us in conducting impactful operations,$$ FBI Deputy Assistant Director Brett Leatherman said in an interview.

Leatherman cited takedowns of the ransomware group Hive, which included recovering decryption keys that helped hundreds of victims get their files back, and Genesis Marketplace, a giant bazaar for stolen data, malicious software and services, and illicit access to potential targets.

In some of those cases, the FBI and partners in other countries pulled the trigger not when they thought they could do the most damage to the gangs but when they could provide the most help to the victims, through recovered keys or hacked crypto accounts.

And the number of ransomware payments did drop, said Jacqueline Koven, head of threat intelligence at Chainalysis, which tracks crypto transactions.

But the visible amount paid to criminals in $2023$ rose in total, topping $$1$ billion for the first time, as hackers like those working with ALPHV turned their attention to better$-$defended deep pockets $$big$-$game hunting,$$ Koven called it$.$

What has been effective, according to Koven and others who have worked with the FBI, is a more sophisticated, multifaceted approach to defense against hackers. Not just technical takedowns of the dark$-$web sites used for posting leaked data and negotiating ransom payments, not just arrests, but financial sanctions that make paying ransoms to some gangs a criminal offense.

Perhaps most important, researchers say, has been the ability of the FBI and others to sow distrust inside the gangs and those who work with them, including the hackers known as $$affiliates$$ who do the digital breaking and entering before installing one or another brand of encryption software.

$$These takedowns, with arrests and seizure of data, have all increased the cost of doing business,$$ Koven said, noting that even some Russian underground forums and tech providers now ban ransomware groups.

After seizing control last month of the dark$-$web site used for leaks from LockBit, the most prolific ransomware group, the FBI, Britain$$s National Crime Agency and Europol posted their own countdown clocks to leaking more information about LockBit and its affiliates.

Some LockBit affiliates are nervously waiting to see whether they will hear from the FBI because of the core gang$$s security lapses.

$$Publicly demonstrating our capability, and publicly demonstrating to the affiliates in some cases the lack of operational security, is important,$$ Leatherman said. $$We are certainly engaging some of these actors to collect evidence as part of our investigative mission.$$

LockBit opened a new leak site and has claimed to be back in business. But Leatherman said the leaks are from old victims, and it might be a long time, if ever, before the gang