Change Healthcare, which provides a critical link between insurance companies and medical providers, did not confirm or deny making the payment, while a hacker who claimed to have breached the company complained that ALPHV had not provided a promised share of the proceeds. The person posted on a criminal discussion forum that he still had the data on consumers as well as the decryption key Change would need to unlock the files on its network.
It was a fittingly unsatisfying end to one of the worst ransomware attacks on essential American infrastructure since the Colonial Pipeline hack almost three years ago: Change Healthcare is trying to recover, its business partners and helpless consumers are adrift, the criminals are at large, and the money that changed hands will probably fund more wrongdoing.
The cyclical churn of ransomware gangs frustrates law enforcement agencies, cyberdefense officials and private researchers who have worked together for years to battle the many-headed Hydra of organized cybercrime.
By many measures, the defenders are winning more fights than ever before. There have been significant arrests in some countries, and the authorities have disrupted gangs by hacking their servers and snooping on their conversations. They have broken up not just some of the groups but also the underground marketplaces and electronic fund “mixers” that obfuscate the money trail.
“2023 was a banner year for us in conducting impactful operations,” FBI Deputy Assistant Director Brett Leatherman said in an interview.
Leatherman cited takedowns of the ransomware group Hive, which included recovering decryption keys that helped hundreds of victims get their files back, and Genesis Marketplace, a giant bazaar for stolen data, malicious software and services, and illicit access to potential targets.
In some of those case, the FBI and partners in other countries pulled the trigger not when they thought they could do the most damage to the gangs but when they could provide the most help to the victims, through recovered keys or hacked crypto accounts.
And the number of ransomware payments did drop, said Jacqueline Koven, head of threat intelligence at Chainalysis, which tracks crypto transactions.
But the visible amount paid to criminals in 2023 rose in total, topping $1 billion for the first time, as hackers like those working with ALPHV turned their attention to better-defended deep pockets — “big-game hunting,” Koven called it.
What has been effective, according to Koven and others who have worked with the FBI, is a more sophisticated, multifaceted approach to defense against hackers. Not just technical takedowns of the dark-web sites used for posting leaked data and negotiating ransom payments, not just arrests, but financial sanctions that make paying ransoms to some gangs a criminal offense.
Perhaps most important, researchers say, has been the ability of the FBI and others to sow distrust inside the gangs and those who work with them, including the hackers known as “affiliates” who do the digital breaking and entering before installing one or another brand of encryption software.
“These takedowns, with arrests and seizure of data, have all increased the cost of doing business,” Koven said, noting that even some Russian underground forums and tech providers now ban ransomware groups.
After seizing control last month of the dark-web site used for leaks from LockBit, the most prolific ransomware group, the FBI, the United Kingdom’s National Crime Agency and Europol posted their own countdown clocks to leaking more information about LockBit and its affiliates.
Some LockBit affiliates are nervously waiting to see whether they will hear from the FBI because of the core gang’s security lapses.
“Publicly demonstrating our capability, and publicly demonstrating to the affiliates in some cases the lack of operational security, is important,” Leatherman said. “We are certainly engaging some of these actors to collect evidence as part of our investigative mission.”
LockBit opened a new leak site and has claimed to be back in business. But Leatherman said the leaks are from old victims, and it might be a long time, if ever, before the gang can get enough affiliates to become the same force it was.
As for ALPHV, the FBI said in December that it had disrupted the group, only to have it resurface and encourage its affiliates to go after hospitals and other critical infrastructure they had been avoiding.
That takedown may have backfired and led to the current spate of health-care attacks and the crisis at pharmacies that can’t tell which customers are insured for which medicines.
But the fight over the disappearing $22 million, and the apparent disappearance of ALPHV itself, will at least increase the mutual suspicion that the FBI has been stoking in the world of virtual gangsters.
“What gives me hope is that I think the ecosystem is a lot smaller. There’s a smaller number of people in ransomware than it might appear,” said Koven, a former intelligence agency analyst.