Firm Pays $22 Million Ransom … Hackers Keep the Data Anyway

A recent ransomware attack illustrates why an attacked company that pays ransom shouldn’t expect the hackers to live up to their end of the bargain. Once upon a time, cyber thieves did exhibit a modicum of honor. They’d unlock a hacked company’s system and dutifully destroy the stolen data once they received payment, more often than not.

Those days are long gone. Hackers are more likely to sell stolen data to rival cyber crooks (who knows, maybe they’re all friends!) according to experts like Dauntless Discovery. Companies keep learning the hard way that paying a ransom won’t necessarily prevent thieves from publishing customer data on the dark web.

Hackers Demand Ransom & Wreak Havoc

Near the end of February, hackers affiliated with the notorious group BlackCat infiltrated Change Healthcare’s (CH) billing and care authorization portals. CH processes more than 14 billion transactions along healthcare technology “pipelines” including Medicare. The attack made it nearly impossible for pharmacies nationwide to process prescriptions electronically.

Healthcare providers and hospitals are still waiting to get paid for services. Many sick and elderly people can’t get their prescriptions due to provider denials. The Centers for Medicare and Medicaid Services is now advising doctors’ offices, hospitals and pharmacies to process prescriptions using paper and make copies of records.

“This massive breach and its wide-ranging repercussions have hit physician practices across the country, risking patients’ access to their doctors and straining viability of medical practices themselves,” says Dr. Jesse Ehrenfeld, president of the American Medical Association.

It’s a good bet that CH couldn’t: 1) verify the level of patient data the hackers stole, or 2) didn’t back up patient data so it would be prepared for an attack of this nature. Reason: Companies are paying ransom to attackers much less frequently than five years ago because they’re doing a much better job of backing up and securing data. About 85% of hacked firms paid ransom in 2019 compared to just 29% in late 2023.

CH apparently got nervous and paid $22 million in Bitcoin to BlackCat “for a decryption key and to prevent four terabytes of stolen data from being published online,” according to cyber blog KrebsOnSecurity. But unfortunately, “the cybercriminal who claims to have given BlackCat access to [CH’s] network says the crime gang cheated them out of their share of the ransom” and is now holding on to CH’s data.

The FBI and Interpol are working together to arrest members of the BlackCat crime ring. Their mission could get a little tricky: BlackCat just shut down its dark web site and isn’t communicating online. Meanwhile CH is facing tough questions from lawmakers, regulators and angry patients. There’s a decent chance the company doesn’t survive the fallout.