back to article Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack. RansomHub claimed responsibility for attacking Change Healthcare in the last few hours, saying it had 4 TB of the company's data containing personally identifiable information (PII) belonging to active …

  1. cyberdemon Silver badge
    Facepalm

    Let that be a lesson

    The worst thing you can possibly do is pay the scum

    Paying a ransom (unless authorised as part of a credible police sting) needs to be a criminal offence

    1. usbac

      Re: Let that be a lesson

      Many years ago, I posted the idea of paying a ransom being a criminal offense. I got down-voted heavily on that comment. I also received tons of criticism followed by all kinds of pathetic reasons why companies need to be able to pay ransoms.

      I'm glad everyone is starting to see the reasons why this just has to be the case.

      1. mikus

        Re: Let that be a lesson

        Likely by the same incompetent CISO/CIO's that allow this sort of thing to happen under their watch fearful for their own careers.

        Like the Solarwinds CISO getting sued for gross negligence, Change Healthcare's management should as well, first for being lazy/stupid to let it happen in the first place, for even considering paying the fine let alone doing so as they did, and for letting it happen AGAIN not learning from the first.

        Organizations like these are so broken it's laughable, but this is how most run businesses operate still I deal with in consulting still in 2024.

        Guess what everyone, medical insurance rates are going up again to pay for their mistakes. North Korea thanks you for your continued support.

        1. hoola Silver badge

          Re: Let that be a lesson

          As usual it is always easy to be critical from the side lines with no knowledge or understanding of what actually took place.

          Not every security event is a result of incompetence or negligence. It is also vey easy to say something could have been avoided with hindsight.

          If there is actual negligence then it should be easy enough to take action.

          1. Wzrd1 Silver badge

            Re: Let that be a lesson

            "If there is actual negligence then it should be easy enough to take action."

            No, no negligence at all, the malware fairy dropped off malware to hose the systems.

            But, rather than providing healthcare, they're now paying out to criminals. Maybe they'll at least be able to cover euthanasia.

      2. VicMortimer Silver badge
        Thumb Up

        Re: Let that be a lesson

        I've been saying it for a while too.

        Lately, most of the stupid have come around, years late, but at least they've finally realized we're right.

        Make it a real crime to pay, put a couple CEOs in prison for paying, and ransomware will stop being a problem because it will be unprofitable. It really is that simple a problem to solve.

    2. flayman

      Re: Let that be a lesson

      "Paying a ransom (unless authorised as part of a credible police sting) needs to be a criminal offence"

      I think that's taking it too far. You might as well say that in relation to any extortion attempt. Paying the mafia to take out the garbage in your office building should be a criminal offence. Yeah, well failure to do so will get your legs broken. This is the nature of duress.

    3. Anonymous Coward
      Anonymous Coward

      Re: Let that be a lesson

      The question we all should ask is was the ransom the point? I'm sure there are plenty of countries that do these things that aren't interested in money or fame. Even so called "friendly" countries.

      "belonging to active US military personnel" makes me think there could be an ulterior motive at play.

  2. Pascal Monett Silver badge

    "It's a stark reminder"

    It's almost a mistake, PR-wise. Indeed, now the scum have demonstrated publicly, in less than a month, that they will go back after targets that have previously paid up.

    Boards everywhere should be paying attention here. You get hit, you'll get hit again if you pay.

    Stop paying. It's the only solution.

    Once you've secured your network properly, that is.

    1. VicMortimer Silver badge

      Re: "It's a stark reminder"

      Saying "stop paying" doesn't work.

      Making it a crime to pay works. CEOs don't want to go to prison.

  3. Sparkus

    Eggs.....

    Meet Basket. At the very least this should prompt all Healthcare CEOs to re-evaluate their dependency on single-source (lock-in) service providers like Optum.

    Doesn't matter that Optum is a 'victim' here.

  4. Frank Bitterlich

    Give them a second, they're almost there...

    "So you want proof that paying criminals enables them to do more crime? Just a sec, here, hold my beer..."

  5. ecofeco Silver badge
    Facepalm

    Are you effing kidding?

    Why am I not surprised?

  6. Jonno
    Holmes

    Fool me once...

    Shame on you. Fool me twice... shame on me or whatever FDR said...

    1. Someone Else Silver badge

      Re: Fool me once...

      No, no, no, silly! It's:

      “There's an old saying in Tennessee — I know it's in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can't get fooled again.”

      And it wasn't FDR, it was GWB.

      1. Jonno

        Re: Fool me once...

        I stand corrected :D

  7. Bob Whitcombe

    Lack of National Cyber-Defense is fucking us all

    The first step in a National Cyber-Defense is to create a cyber priority for business operations. Right now it is an externality. If I am the service member whose data is released, I become the target of phishers, swishers and other attacks. Change Health has no fiscal liability for the costs I incur to get my cyber-slate cleaned. They may offer a useless insurance warranty for the "next" attack - but currently have no legal obligation to make me whole. Nothing changes until that loophole is closed.

  8. ShortLegs

    Seriously? Making paying a crime?

    That sone step away from making it a crime to hand over your wallet to a mugger. Armed with a knife.

    Or the very real low level extortion whereby pets are kidnapped and held to ransom. Should we prosecute and imprison 68yr old Mrs Smith for paying to get Tiddles back?

    According to the logic displayed by posters here, blackmail and extortion has only criminals and never victims.

    Just remember that until a COURT finds a company or individual guilty of negligence, or an offence, then the CISO/CITO/whomever has not committed any crime.

    Anything else is lynch-mob mentality. There is a basic principle of justice called "innocent until proven guilty".

    1. IanRS

      Legality of paying

      US law does not currently prohibit paying a ransom for people or goods, and data possibly falls under 'goods', but it does prohibit paying people or organisations on various sanctions lists, which can include known members of ransomware groups or the groups themselves. Hence paying a ransom may or may not already be illegal, depending on who gets the money.

      1. flayman

        Re: Legality of paying

        That would be paying for goods and services or making donations, not paying someone who mugs you. Where duress is involved, I seriously doubt there could ever be the necessary intent ingredients, i.e. mens rea, to establish a crime.

    2. Cav Bronze badge

      Hyperbolic nonsense. The crime only exists because companies keep paying, in this case twice. Ban payment and the crime will stop.

      1. flayman

        No, THIS is nonsense. It will never ever fly. It goes against natural justice to turn victims of extortion into criminals for acting out of fear. I do not want to live in a society that deems this acceptable. Acquiescing to threats by simply handing over money can never be a crime.

        Plus, we're actually talking about property, whether it's the property of the company or the property of the company's customers. The fact that it's digital doesn't make any difference. As a legal person, the company has rights with regard to property. It will also be legally obligated to safeguard its customers' personal data as far as practical. You have not thought it through.

        You cannot force victims to rely on law enforcement. The idea that it's illegal to pay a ransom "unless authorised as part of a credible police sting" (as I've seen suggested) is laughable.

        1. katrinab Silver badge
          Megaphone

          The only way to stop people from doing this in future is to cut off the money supply. If you keep paying them large sums of money every time they do it, they will keep doing it.

          Therefore, it absolutely needs to be made illegal.

    3. katrinab Silver badge
      Megaphone

      “Should we prosecute and imprison 68yr old Mrs Smith for paying to get Tiddles back?”

      Yes. When we changed the law in the UK to do that, kidnappings stopped pretty much overnight.

  9. Bitbeisser

    If they only would have spend half of that money to actual make sure their data is secure.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like