{"id":87489,"date":"2024-11-26T09:00:57","date_gmt":"2024-11-26T17:00:57","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=87489"},"modified":"2024-11-27T06:25:14","modified_gmt":"2024-11-27T14:25:14","slug":"analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/","title":{"rendered":"Analysis: A New Ransomware Group Emerges from the Change Healthcare Cyber Attack"},"content":{"rendered":"<p><em>Updated November 2024<\/em><\/p>\n<p>Billing systems for Change Healthcare are now back up and running nine months after the ransomware attack on this major clearinghouse for billing and payment processing, according GovTech. Owned by UnitedHealthGroup, Change Healthcare fell victim to one of the largest ransomware attacks in history in February after it was discovered it did not use multifactor authentication on some of its systems.<\/p>\n<p>The impact was severe according to a survey by the American Hospital Association. <\/p>\n<ul>\n<li>94% of all hospitals in the US were hurt financially<\/li>\n<li>74% of hospitals reported direct patient care impact <\/li>\n<li>Nearly 40% of patients had difficulty accessing care due to authorization delays<\/li>\n<li>67% of hospitals found it was \u201cdifficult or very difficult\u201d to switch clearinghouses<\/li>\n<\/ul>\n<p>The attack compromised personal health data of over 100 million people, according to a breach report with the Office for Civil Rights via the U.S. Department of Health and Human Services.<\/p>\n<p><em>Originally posted May 2024<\/em><\/p>\n<p>As the full scope of the <a href=\"https:\/\/www.wsj.com\/articles\/change-healthcare-hack-what-you-need-to-know-45efc28c\" target=\"_blank\" rel=\"noopener\">Change Healthcare cyber attack<\/a> and ransomware story unfolds, a new leading gang has emerged known as \u2018RansomHub\u2019. This \u2018new\u2019 group has been claiming more victims since the massive February ransomware and data breach attack.<\/p>\n<p>On April 8, <a href=\"\/research-labs\/\">Forescout Research \u2013 Vedere Labs<\/a> obtained samples used by RansomHub affiliates in a separate incident. Here is our analysis of:<\/p>\n<ul>\n<li>The new group\u2019s background information<\/li>\n<li>The auxiliary files<\/li>\n<li>The encryptor<\/li>\n<li>Similarities to ALPHV\u2019s TTPs<\/li>\n<\/ul>\n<p>The figure below shows a simplified timeline of the story detailed in this post.<\/p>\n<p><center><br \/>\n<a href=\"\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87497\" src=\"\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A.jpg\" alt=\"\" width=\"1000\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A.jpg 1920w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A-300x152.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A-1024x519.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A-768x390.jpg 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-VL-RansomHub_Chart-Timeline-A-1536x779.jpg 1536w\" sizes=\"(max-width: 1920px) 100vw, 1920px\" \/><\/a><\/center>\n<h2>The Change Healthcare cyber attack and RansomHub\u2019s break from ALPHV<\/h2>\n<p>ALPHV\u2019s cyber attack on Change Healthcare is one of the most impactful in history. Change Healthcare is one of the largest health payment processing companies in the world \u2013 and is a subsidiary of United Healthcare. As a clearing house for 15 billion medical claims a year, it makes up <a href=\"https:\/\/energycommerce.house.gov\/posts\/what-we-learned-change-healthcare-cyber-attack\" target=\"_blank\" rel=\"noopener\">nearly 40% of all claims<\/a>.<\/p>\n<p>The attack has had severe implications for the affected organization and its customers. It has also put a new spotlight on the ransomware scene. RansomHub is <a href=\"https:\/\/www.scmagazine.com\/news\/change-healthcare-breach-data-may-be-in-hands-of-new-ransomware-group\" target=\"_blank\" rel=\"noopener\">recruiting former ALPHV affiliates<\/a> after the former group\u2019s \u2018exit scam\u2019.<\/p>\n<p>On February 12, ALPHV ransomware affiliate \u201cNotchy\u201d <a href=\"https:\/\/www.wired.com\/story\/alphv-change-healthcare-ransomware-payment\/\" target=\"_blank\" rel=\"noopener\">compromised Change Healthcare<\/a>, a large payment management company connecting more than 1.6 million health professionals, 70,000 pharmacies and 8,000 healthcare facilities in the US healthcare system.<\/p>\n<p>The attackers <a href=\"https:\/\/d1dth6e84htgma.cloudfront.net\/Witty_Testimony_OI_Hearing_05_01_24_5ff52a2d11.pdf\" target=\"_blank\" rel=\"noopener\">leveraged compromised credentials<\/a> on Citrix remote-access software that did not have multi-factor authentication enabled. Following lateral movement and data exfiltration, they deployed the ransomware nine days later. It\u2019s had a reported financial <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/unitedhealth-change-healthcare-cyberattack-caused-872-million-loss\/\" target=\"_blank\" rel=\"noopener\">impact of $872 million<\/a>, and included the exfiltration of <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-claims-they-stole-6tb-of-change-healthcare-data\/\" target=\"_blank\" rel=\"noopener\">6TB of sensitive data<\/a>. It has taken <a href=\"https:\/\/www.unitedhealthgroup.com\/newsroom\/2024\/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html\" target=\"_blank\" rel=\"noopener\">months to \u00a0restore systems<\/a> and the company has had at least two <a href=\"https:\/\/therecord.media\/unitedhealth-group-change-healthcare-ransomware-congress\" target=\"_blank\" rel=\"noopener\">congressional testimonies<\/a><\/p>\n<p><em>Learn more: Watch United Healthcare\u2019s CEO speak with the US <\/em><em>Committee on Energy and Commerce about the attack<\/em>:<\/p>\n<p><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/oIdZmlBRZW0?si=KT6wMSj_ALK5eVol\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>There\u2019s more. Change Healthcare <a href=\"https:\/\/www.wired.com\/story\/change-healthcare-admits-it-paid-ransomware-hackers\/\" target=\"_blank\" rel=\"noopener\">paid $22 million in ransom<\/a> to ALPHV which then appeared to \u00a0not share the payment with Notchy. Notchy and <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1777374367854297433\" target=\"_blank\" rel=\"noopener\">several other former ALPHV affiliates<\/a> then moved over to a new ransomware operation: RansomHub \u2014 which has been growing very quickly ever since. RansomHub <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-starts-leaking-alleged-stolen-change-healthcare-data\/\" target=\"_blank\" rel=\"noopener\">started leaking<\/a> Change Healthcare files on April 15 and extorted the company a <em>second<\/em> time \u2014 claiming that the original payment did not go to the right people.<\/p>\n<h2>RansomHub RaaS: From RAMP to Change Healthcare and beyond<\/h2>\n<p>RansomHub was announced as a new ransomware-as-a-service (RaaS) affiliate program on the well-known RAMP cybercriminal forum on February 2 by \u201ckoley\u201d. The forum message (shown in the figure below) had details on:<\/p>\n<ul>\n<li>The \u201clocker\u201d encrypting malware developed by the group and leased to affiliates.<\/li>\n<li>The \u201cpanel\u201d used by affiliates to manage negotiations with victims.<\/li>\n<li>The \u201cticket\u201d conditions to join their program.<\/li>\n<li>The \u201crules\u201d that affiliates must follow when in the program.<\/li>\n<\/ul>\n<p>As a <a href=\"\/blog\/ttps-how-to-prevent-and-detect-ransomware-attacks\/\">modern ransomware<\/a>, it is written in Golang and C++. It supports Windows, Linux, ESXi and devices running on MIPS architectures. An interesting characteristic is that the program pays the affiliates first, who then pay RansomHub itself \u2013 a very different model from ALPHV and probably what attracted many disgruntled affiliates from other programs.<\/p>\n<p><center><br \/>\n<a href=\"\/wp-content\/uploads\/2024\/05\/screenshot_1.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87494\" src=\"\/wp-content\/uploads\/2024\/05\/screenshot_1.jpg\" alt=\"\" width=\"800\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/screenshot_1.jpg 1400w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/screenshot_1-300x227.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/screenshot_1-1024x775.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/screenshot_1-768x581.jpg 768w\" sizes=\"(max-width: 1400px) 100vw, 1400px\" \/><\/a><br \/>\n[RansomHub\u2019s first post on the RAMP Forum \u2013 LinkedIn <a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7159288343535484928\/\" target=\"_blank\" rel=\"noopener\">Screenshot<\/a>]<\/center><br \/>\nThe group claimed their first victim on February 10: YKP LTDA which is a financial consulting company from Brazil. They claimed 27 other victims between February 10 and April 8 when they first added Change Healthcare to their list.\n<p>There have been in total 45 victims between February and April 30. A majority of victims, 13, were in the US, followed by six victims in Brazil and three victims each in the UK, Italy and Spain.<\/p>\n<p><center><a href=\"\/wp-content\/uploads\/2024\/05\/2_FS-VL-RansomHub_Chart-VictimbyCountry.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87490\" src=\"\/wp-content\/uploads\/2024\/05\/2_FS-VL-RansomHub_Chart-VictimbyCountry.jpg\" alt=\"\" width=\"1000\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/2_FS-VL-RansomHub_Chart-VictimbyCountry.jpg 1393w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/2_FS-VL-RansomHub_Chart-VictimbyCountry-300x231.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/2_FS-VL-RansomHub_Chart-VictimbyCountry-1024x788.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/2_FS-VL-RansomHub_Chart-VictimbyCountry-768x591.jpg 768w\" sizes=\"(max-width: 1393px) 100vw, 1393px\" \/><\/a><\/center>The group scaled activities by claiming four victims in February, 18 in March and 23 in April. RansomHub was the fifth most active ransomware group in April but had a similar number of incidents as LockBit, 8base, Play and Hunters \u2013 \u00a0who are the most active groups in the month. If they keep growing at this pace, they are set to soon become the most active ransomware group.<\/p>\n<p><center><a href=\"\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87491\" src=\"\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware.jpg\" alt=\"\" width=\"1000\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware.jpg 1663w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware-300x190.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware-1024x650.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware-768x488.jpg 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/3_FS-VL-RansomHub_Chart-MostActiveRansomware-1536x975.jpg 1536w\" sizes=\"(max-width: 1663px) 100vw, 1663px\" \/><\/a><\/center><\/p>\n<h2>Analysis of auxiliary files: STONESTOP and POORTRY<\/h2>\n<p>We start the analysis of the incident we observed by describing the following relevant files:<\/p>\n<div class=\"c-responsive-table td-min-width-0 padding-slim th-no-wrap\">\n<table>\n<tbody>\n<tr>\n<th><strong>Filename<\/strong><\/th>\n<th><strong>Hash<\/strong><\/th>\n<th><strong>Description<\/strong><\/th>\n<\/tr>\n<tr>\n<td><strong>disableAV.bat<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/813f54d9053d91a46d9ec3381a2283f3ed8274a976e34fc795c5239fd4d01f4b\" target=\"new\" rel=\"noopener\">813f54d9053d91a46d9ec3381a2283f3ed8274a976e34fc795c5239fd4d01f4b<\/a><\/td>\n<td>A batch file used to copy and run the files that disable AV protection.<\/td>\n<\/tr>\n<tr>\n<td><strong>disableAV.bat<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/cc16267ba6bb49149183b6de2980824b8b4d5d1456fed51b6c5fd9099a904b50\" target=\"new\" rel=\"noopener\">cc16267ba6bb49149183b6de2980824b8b4d5d1456fed51b6c5fd9099a904b50<\/a><\/td>\n<td>A batch file used to copy and run the files that disable the AV protection. The only difference with the previous one is that this file uses the \u201ccopy\u201d command instead of \u201cxcopy\u201d.<\/td>\n<\/tr>\n<tr>\n<td><strong>2JSqT5dzNXW.exe<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d\" target=\"new\" rel=\"noopener\">d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d<\/a><\/td>\n<td>An executable that loads a malicious driver (<strong>aSCGa.sys<\/strong>) and issues commands to it.<\/td>\n<\/tr>\n<tr>\n<td><strong>aSCGa.sys<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/9d3a9b9875175acfa8caabbb773e0723b83735a89969c581c0dfd846476378a5\" target=\"new\" rel=\"noopener\">9d3a9b9875175acfa8caabbb773e0723b83735a89969c581c0dfd846476378a5<\/a><\/td>\n<td>A malicious driver that is used to disable the AV protection.<\/td>\n<\/tr>\n<tr>\n<td><strong>PSEXESVC.exe<\/strong>\n<p><strong>psexec.exe<\/strong> <strong>PsExec.exe<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e\" target=\"new\" rel=\"noopener\">cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e<\/a>\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/file\/a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4\" target=\"new\" rel=\"noopener\">a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4<\/a><\/p>\n<p><a href=\"https:\/\/www.virustotal.com\/gui\/file\/078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b\" target=\"new\" rel=\"noopener\">078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b<\/a><\/td>\n<td>Three variants of a lightweight Telnet replacement tool from Microsoft that allows to execute processes on remote systems. This tool is part of the <a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/sysinternals-suite\">Microsoft\u2019s Sysinternal Suite<\/a>, bad actors typically use it for lateral movement.<\/td>\n<\/tr>\n<tr>\n<td><strong>smbexec.exe<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/5d2f77971ffe4bab08904e58c8d0c5ba2eefefa414599ebac72092e833f86537\" target=\"new\" rel=\"noopener\">5d2f77971ffe4bab08904e58c8d0c5ba2eefefa414599ebac72092e833f86537<\/a><\/td>\n<td>A variant of the smbexec.py tool (part of the <a href=\"https:\/\/github.com\/fortra\/impacket\">impacket<\/a> python suite) compiled as a PE executable. This tool is often used by bad actors for lateral movement.\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td><strong>amd64.exe<\/strong><\/td>\n<td><a href=\"https:\/\/www.virustotal.com\/gui\/file\/7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a\" target=\"new\" rel=\"noopener\">7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a<\/a><\/td>\n<td>This executable encrypts the victim\u2019s filesystem. It can also stop virtual machines and encrypt remote systems (potentially using external tools, such as <strong>psexec<\/strong> and <strong>smbexec<\/strong>).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>These files were used as shown in the figure below, for <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\/\" target=\"_blank\" rel=\"noopener\">TA0005 \u2013 Defense Evasion<\/a>, <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0008\/\" target=\"_blank\" rel=\"noopener\">TA0008 \u2013 Lateral Movement<\/a> and <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0040\/\" target=\"_blank\" rel=\"noopener\">TA0040 \u2013 Impact<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-87492\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/4_FS-VL-RansomHub_Chart-LateralMovement.jpg\" alt=\"\" width=\"1792\" height=\"1080\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/4_FS-VL-RansomHub_Chart-LateralMovement.jpg 1792w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/4_FS-VL-RansomHub_Chart-LateralMovement-300x181.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/4_FS-VL-RansomHub_Chart-LateralMovement-1024x617.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/4_FS-VL-RansomHub_Chart-LateralMovement-768x463.jpg 768w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/4_FS-VL-RansomHub_Chart-LateralMovement-1536x926.jpg 1536w\" sizes=\"auto, (max-width: 1792px) 100vw, 1792px\" \/><br \/>\nSince the files used for lateral movement are already very well-known, we focus in this section on the analysis of the files used for defense evasion and in the next section on the encryptor file used for impact.\n<p>Both batch files (<strong>disableAV.bat<\/strong>) were used to copy <strong>2JSqT5dzNXW.exe <\/strong>and <strong>aSCGa.sys <\/strong>from a local IP address (likely the first compromised machine) and to run the former file. Here are the contents of one of the batch files (the only difference between them is that one uses the \u201ccopy\u201d command, while the other uses \u201cxcopy\u201d):<\/p>\n<p><center><a href=\"\/wp-content\/uploads\/2024\/05\/2JSqT5dzNXW.jpg\"><br \/>\n<img decoding=\"async\" class=\"alignnone size-full wp-image-87499\" src=\"\/wp-content\/uploads\/2024\/05\/2JSqT5dzNXW.jpg\" alt=\"\" width=\"500\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/2JSqT5dzNXW.jpg 555w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/2JSqT5dzNXW-300x137.jpg 300w\" sizes=\"(max-width: 555px) 100vw, 555px\" \/><\/a><\/center>The copied files are very interesting. Since earlier versions were analyzed by <a href=\"https:\/\/www.sentinelone.com\/labs\/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers\/\" target=\"_blank\" rel=\"noopener\">Sophos<\/a> and <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/hunting-attestation-signed-malware\" target=\"_blank\" rel=\"noopener\">Mandiant<\/a> researchers back in 2022, we will use the same names for these malicious files: STONESTOP (<strong>2JSqT5dzNXW.exe<\/strong>) and POORTRY (<strong>aSCGa.sys<\/strong>). The latter is a malicious\u00a0 Windows driver while the former is a userland Windows executable that loads the driver and issues various commands.\n<p>STONESTOP and POORTRY were used by the <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-320a\" target=\"_blank\" rel=\"noopener\">SCATTERED SPIDER<\/a> cybercriminal group (tracked as UNC3944 by Mandiant) for stopping AV and EDR software. SCATTERED SPIDER is a group that has reportedly deployed the ALPHV ransomware in many cases in the past.<\/p>\n<p>The samples we obtained have a few differences from the samples described by Sophos and Mandiant \u2013 but there are many similarities.<\/p>\n<p>STONESTOP appears to be packed with UPX. However, a closer look at the binary suggests a custom packer. After unpacking the sample, we could understand how it controls POORTRY:<\/p>\n<ol>\n<li>It creates a copy of the POORTRY sample (aSCGa.sys) in the TEMP folder of a current user and loads it as a service. Note that it requires ADMIN privileges to do that which suggests that this is done after the local ADMIN account is compromised. The sample contains no privilege escalation exploits.<br \/>\n&nbsp;<br \/>\n<a href=\"\/wp-content\/uploads\/2024\/05\/STONESTOP.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-87501\" src=\"\/wp-content\/uploads\/2024\/05\/STONESTOP.jpg\" alt=\"\" width=\"800\" height=\"484\" \/><\/a><br \/>\n&nbsp;\n<\/li>\n<li>Next, the executable sends a specific IOCTL 0x222088 to POORTRY. This IOCTL is a way to authenticate with POORTRY. In this case, it expects a hardcoded string \u201c<em>ED AD FG HG GF TR SY UT GH NG GT<\/em>\u201d. If POORTRY receives this string along with this IOCTL, it will execute other functionality when specific IOCTLs are sent from the userland executable. Otherwise, the IOCTL request will be ignored.<br \/>\n&nbsp;<br \/>\n<a href=\"\/wp-content\/uploads\/2024\/05\/0x222088.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87502\" src=\"\/wp-content\/uploads\/2024\/05\/0x222088.jpg\" alt=\"\" width=\"800\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/0x222088.jpg 1031w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/0x222088-300x41.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/0x222088-1024x140.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/0x222088-768x105.jpg 768w\" sizes=\"(max-width: 1031px) 100vw, 1031px\" \/><\/a><br \/>\n&nbsp;\n<\/li>\n<li>Finally, our variant of STONESTOP instructs POORTRY to recursively delete all files within the installation folder of the Kaspersky AV solution. It will then enter the infinite loop in which it will periodically instruct POORTRY to find processes related to AV software and kill them. In our sample, these were Kaspersky and Windows Defender.:<br \/>\n&nbsp;<br \/>\n<a href=\"\/wp-content\/uploads\/2024\/05\/POORTRY.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87503\" src=\"\/wp-content\/uploads\/2024\/05\/POORTRY.jpg\" alt=\"\" width=\"600\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/POORTRY.jpg 900w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/POORTRY-300x206.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/POORTRY-768x527.jpg 768w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/a><\/li>\n<\/ol>\n<p>As the analysis shows, they were targeting different AV and EDR solutions. It appears that the attackers create a new executable for each of their victims customizing it according to the AV and EDR solutions present.STONESTOP and POORTRY are heavily obfuscated. Both use some sort of string and control flow graph obfuscation. For example, POORTRY uses Microsoft Control Flow Guard among other things while STONESTOP contains self-rewriting code.<br \/>\n&nbsp;<br \/>\nA full analysis would take significant time. What we noticed, however, is that it seems to be a next iteration of the POORTRY variant <a href=\"https:\/\/www.sentinelone.com\/labs\/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers\/\">described by Sophos<\/a>:\n<ol>\n<li>It uses a simple authentication message, instead of a full handshake.<\/li>\n<li>A different \u201clegitimate\u201d certificate is used to sign the binary.<\/li>\n<li>It contains a subset of IOCTL values described previously, however, it also has some new functionality. Some may have been missed:<\/li>\n<\/ol>\n<div class=\"c-responsive-table td-min-width-0 padding-slim th-no-wrap\">\n<table>\n<tbody>\n<tr>\n<th><strong>IOCTL <\/strong><\/th>\n<th><strong>Functionality<\/strong><\/th>\n<\/tr>\n<tr>\n<td>0x222088<\/td>\n<td>Authenticate STONESTOP with POORTRY.<\/td>\n<\/tr>\n<tr>\n<td>0x222184<\/td>\n<td>Delete a file from the filesystem.<\/td>\n<\/tr>\n<tr>\n<td>0x222094<\/td>\n<td>Kill a running process.<\/td>\n<\/tr>\n<tr>\n<td>0x22218c<\/td>\n<td>Overwrite a file (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<tr>\n<td>0x22208c<\/td>\n<td>??? (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<tr>\n<td>0x222188<\/td>\n<td>??? (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<tr>\n<td>0x222190<\/td>\n<td>??? (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<tr>\n<td>0x2221c4<\/td>\n<td>??? (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<tr>\n<td>0x2221c8<\/td>\n<td>??? (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<tr>\n<td>0x222264<\/td>\n<td>??? (appears to be unused in our STONESTOP sample).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>This new variant of POORTRY masquerades as Internet Download Manager TDI driver from Tonec Inc.:<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/05\/Tonec-.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87504\" src=\"\/wp-content\/uploads\/2024\/05\/Tonec-.jpg\" alt=\"\" width=\"700\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Tonec-.jpg 908w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Tonec--300x135.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Tonec--768x345.jpg 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><\/a><\/p>\n<p>The driver is signed with a valid certificate from \u201cShanghai Yikaoda Information Consulting Co., Ltd.\u201d, but it expired in 2016. It appears the attackers used a stolen certificate. We could not find any information about this company online, so it may be forged.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-87505\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/cert.jpg\" alt=\"\" width=\"545\" height=\"695\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/cert.jpg 545w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/cert-235x300.jpg 235w\" sizes=\"auto, (max-width: 545px) 100vw, 545px\" \/><\/p>\n<h2>Analysis of the encryptor and similarities with ALPHV<\/h2>\n<p>The file amd64.exe (<a href=\"https:\/\/www.virustotal.com\/gui\/file\/7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a\" target=\"_blank\" rel=\"noopener\">7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a<\/a>) is a filesystem encryptor that has several capabilities, such as:<\/p>\n<ol>\n<li>Selective encryption: only process files within specific path or encrypt only local disks<\/li>\n<li>Selective propagation: only process specific SMB hosts<\/li>\n<li>Run in Safe Mode<\/li>\n<\/ol>\n<p><a href=\"\/wp-content\/uploads\/2024\/05\/the-encryptor-and-similarities-with-ALPHV.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87506\" src=\"\/wp-content\/uploads\/2024\/05\/the-encryptor-and-similarities-with-ALPHV.jpg\" alt=\"\" width=\"800\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/the-encryptor-and-similarities-with-ALPHV.jpg 1043w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/the-encryptor-and-similarities-with-ALPHV-300x131.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/the-encryptor-and-similarities-with-ALPHV-1024x449.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/the-encryptor-and-similarities-with-ALPHV-768x337.jpg 768w\" sizes=\"(max-width: 1043px) 100vw, 1043px\" \/><\/a><\/p>\n<p>The sample is packed (likely with <a href=\"https:\/\/vmpsoft.com\/\" target=\"_blank\" rel=\"noopener\">VMProtect<\/a> and some custom packing), however it is not virtualized. The sample is developed in Golang, however all the symbol information was stripped from the binary. Additionally, the authors used the <strong><em>gobfuscate<\/em><\/strong> tool (<a href=\"https:\/\/github.com\/unixpickle\/gobfuscate\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/unixpickle\/gobfuscate<\/a>).<\/p>\n<p>All these countermeasures make static analysis extremely difficult. The authors prevent dynamic analysis by protecting the encryptor config with a 32-byte passphrase. The cryptographic algorithm used by the authors appears to be <a href=\"https:\/\/en.wikipedia.org\/wiki\/ChaCha20-Poly1305\" target=\"_blank\" rel=\"noopener\">ChaCha20-Poly1305<\/a>. But we could not decrypt the config and analyze the sample further, since we did not have the required passphrase. Despite obfuscation, several interesting strings were present in the binary. For example, some parts of the JSON config:<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/05\/cryptographic-algorithm-.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-87507\" src=\"\/wp-content\/uploads\/2024\/05\/cryptographic-algorithm-.jpg\" alt=\"\" width=\"956\" height=\"554\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/cryptographic-algorithm-.jpg 956w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/cryptographic-algorithm--300x174.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/cryptographic-algorithm--768x445.jpg 768w\" sizes=\"auto, (max-width: 956px) 100vw, 956px\" \/><\/a><\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/05\/ALPHV.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87508\" src=\"\/wp-content\/uploads\/2024\/05\/ALPHV.jpg\" alt=\"\" width=\"600\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/ALPHV.jpg 679w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/ALPHV-300x119.jpg 300w\" sizes=\"(max-width: 679px) 100vw, 679px\" \/><\/a><\/p>\n<p>The JSON config contains quite a few similarities to the ALPHV ransomware that <a href=\"\/blog\/alphv-breaking-down-the-complexity-of-the-most-sophisticated-ransomware\/\">we analyzed in the past<\/a>. We also noticed a few sentences in the ransom note that appear to be copied from the ALPHV sample <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-03\/aa23-353a-stopransomware-alphv-blackcat-update_2.pdf\" target=\"_blank\" rel=\"noopener\">mentioned by CISA<\/a>:<\/p>\n<p><a href=\"\/wp-content\/uploads\/2024\/05\/CISA-.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-87509\" src=\"\/wp-content\/uploads\/2024\/05\/CISA-.jpg\" alt=\"\" width=\"800\" height=\"auto\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/CISA-.jpg 863w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/CISA--300x108.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/CISA--768x278.jpg 768w\" sizes=\"(max-width: 863px) 100vw, 863px\" \/><\/a><\/p>\n<p>However, this is where the most obvious similarities end. The <a href=\"\/resources\/analysis-of-an-alphv-incident\">ALPHV encryptor sample that we analyzed earlier<\/a> plus a few additional samples were written in Rust, not Golang.<\/p>\n<p>There are also additional obfuscation measures present in the RansomHub sample not previously seen in ALPHV. Yet, while there are significant differences between the present encryptor sample and the ALPHV samples dissected in previous research, the current sample may be the next step in the evolution of ALPHV.<\/p>\n<p>There are plenty of similarities in configuration parameters. They all require a strong passphrase to decrypt an embedded config. The present sample \u2013 just like the ALPHV samples we have seen before \u2013 appears to have functionality to stop virtual machines present in the victim\u2019s environment.<\/p>\n<h2>Is RansomHub a rebrand of ALPHV?<\/h2>\n<p>The timing of ALPHV\u2019s disappearance and RansomHub\u2019s appearance, with a new affiliate prepayment model,\u00a0 is very close. This leads many researchers to suspect that RansomHub could be just a rebrand of ALPHV and all the \u201cNotchy\u201d\/Change Healthcare drama could be staged.<\/p>\n<p>This would not be the first rebrand of a major ransomware group after a massive attack. ALPHV itself appeared in November 2021 as a rebrand of DarkSide \u2014 the group responsible for the Colonial Pipeline hack \u2013 and BlackMatter.<\/p>\n<p>In the incident we observed, the actors used variations of the same tools (STONESTOP and POORTRY) known to be used by SCATTERED SPIDER to deploy ALPHV in the past. However, the technical analysis of the RansomHub encryptor shows that it is significantly different to the ALPHV encryptor used until very recently. Although it bears many similarities, such as modes of operation, strings in config files and ransom notes,hese similarities are now common to several ransomware families.<\/p>\n<p>From this one isolated incident it is difficult to conclude whether RansomHub is a rebrand of ALPHV or a \u2018spiritual successor\u2019 taking many of the former group\u2019s affiliates. Regardless of the specific tools used in an attack or the affiliate that perpetrates it, the good news for defenders is that most <a href=\"\/blog\/ttps-how-to-prevent-and-detect-ransomware-attacks\/\">ransomware incidents boil down to the same TTPs<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h2>Mitigation guidance<\/h2>\n<p>Basic cyber hygiene recommendations are still effective against these ransomware TTPs. These recommendations are detailed on CISA\u2019s Stop Ransomware project page, especially their <a href=\"https:\/\/www.cisa.gov\/stopransomware\/ransomware-guide\" target=\"_blank\" rel=\"noopener\">ransomware guide<\/a> including:<\/p>\n<ul>\n<li>Identifying and patching vulnerable devices in your network<\/li>\n<li>Segmenting the network to avoid spreading an infection<\/li>\n<li>Monitoring network traffic to detect signs of intrusion, lateral movement or payload execution<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.forescout.com\/solutions\/threat-detection-and-response\/\">Forescout Threat Detection &amp; Response<\/a> has dedicated rules for ransomware that collect telemetry and logs from a wide range of sources such as security tools, applications, and other enrichment sources, correlates attack signals to generate high-fidelity threats for analyst investigation and enables automated response actions across the enterprise.<\/p>\n<p>The figure below shows a description of the \u201cRansomware Attack Detection\u201d detection rule which triggers when events occur, including when known ransomware artifacts are detected, when shadow copies are deleted or modified using PowerShell, or when files are encrypted.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-87510\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Ransomware-Attack-Detection.jpg\" alt=\"\" width=\"1052\" height=\"393\" srcset=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Ransomware-Attack-Detection.jpg 1052w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Ransomware-Attack-Detection-300x112.jpg 300w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Ransomware-Attack-Detection-1024x383.jpg 1024w, https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/Ransomware-Attack-Detection-768x287.jpg 768w\" sizes=\"auto, (max-width: 1052px) 100vw, 1052px\" \/><\/p>\n<h2>Indicators of compromise<\/h2>\n<p>The indicators of compromise below are also available on <a href=\"https:\/\/forescout.vederelabs.com\/register\" target=\"_blank\" rel=\"noopener\">Forescout Vedere Lab\u2019s threat feed<\/a>:<\/p>\n<ul>\n<li>813f54d9053d91a46d9ec3381a2283f3ed8274a976e34fc795c5239fd4d01f4b \u2013 bat<\/li>\n<li>cc16267ba6bb49149183b6de2980824b8b4d5d1456fed51b6c5fd9099a904b50 \u2013 bat<\/li>\n<li>d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d \u2013 exe<\/li>\n<li>9d3a9b9875175acfa8caabbb773e0723b83735a89969c581c0dfd846476378a5 \u2013 sys<\/li>\n<li>cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e \u2013 exe<\/li>\n<li>a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4 \u2013 exe<\/li>\n<li>078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b \u2013 exe<\/li>\n<li>5d2f77971ffe4bab08904e58c8d0c5ba2eefefa414599ebac72092e833f86537 \u2013 exe<\/li>\n<li>7539bd88d9bb42d280673b573fc0f5783f32db559c564b95ae33d720d9034f5a \u2013 amd64.exe<\/li>\n<li>9667288503bc26ed9e957050f7e87929f1a7931e8b21797180b68de22a430411 \u2013 certificate used to sign POORTRY<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated November 2024 Billing systems for Change Healthcare are now back up and running nine months after the ransomware attack on this major clearinghouse for billing and payment processing, according GovTech. Owned by UnitedHealthGroup, Change Healthcare fell victim to one of the largest ransomware attacks in history in February after it was discovered it did [&hellip;]<\/p>\n","protected":false},"author":124,"featured_media":87658,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[540],"tags":[],"coauthors":[542],"class_list":["post-87489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-and-cyber-alerts"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware Group Emerges from the Change Healthcare Attack<\/title>\n<meta name=\"description\" content=\"RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Group Emerges from the Change Healthcare Attack\" \/>\n<meta property=\"og:description\" content=\"RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-26T17:00:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-27T14:25:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"318\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Forescout Research - Vedere Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\"},\"author\":{\"name\":\"Forescout Research - Vedere Labs\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\"},\"headline\":\"Analysis: A New Ransomware Group Emerges from the Change Healthcare Cyber Attack\",\"datePublished\":\"2024-11-26T17:00:57+00:00\",\"dateModified\":\"2024-11-27T14:25:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\"},\"wordCount\":2780,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg\",\"articleSection\":[\"Research &amp; Cyber Alerts\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\",\"name\":\"Ransomware Group Emerges from the Change Healthcare Attack\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg\",\"datePublished\":\"2024-11-26T17:00:57+00:00\",\"dateModified\":\"2024-11-27T14:25:14+00:00\",\"description\":\"RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg\",\"width\":612,\"height\":318},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis: A New Ransomware Group Emerges from the Change Healthcare Cyber Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984\",\"name\":\"Forescout Research - Vedere Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g\",\"caption\":\"Forescout Research - Vedere Labs\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Group Emerges from the Change Healthcare Attack","description":"RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/","og_locale":"en_US","og_type":"article","og_title":"Ransomware Group Emerges from the Change Healthcare Attack","og_description":"RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.","og_url":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2024-11-26T17:00:57+00:00","article_modified_time":"2024-11-27T14:25:14+00:00","og_image":[{"width":612,"height":318,"url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg","type":"image\/jpeg"}],"author":"Forescout Research - Vedere Labs","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/"},"author":{"name":"Forescout Research - Vedere Labs","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984"},"headline":"Analysis: A New Ransomware Group Emerges from the Change Healthcare Cyber Attack","datePublished":"2024-11-26T17:00:57+00:00","dateModified":"2024-11-27T14:25:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/"},"wordCount":2780,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg","articleSection":["Research &amp; Cyber Alerts"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/","url":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/","name":"Ransomware Group Emerges from the Change Healthcare Attack","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg","datePublished":"2024-11-26T17:00:57+00:00","dateModified":"2024-11-27T14:25:14+00:00","description":"RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#primaryimage","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg","width":612,"height":318},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"Analysis: A New Ransomware Group Emerges from the Change Healthcare Cyber Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/038ef2eda17d37f87d9978fa703ee984","name":"Forescout Research - Vedere Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/b4c8db5600adef8fa1a89cc86e15c781","url":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6f43608a91eb86cde1564e21650235d0ed570d1ae0fbd371a265636ed603e70d?s=96&d=mm&r=g","caption":"Forescout Research - Vedere Labs"}}]}},"featured_media_url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/05\/FS-2024-RansomHub-Social-v1.jpg","is_file":false,"excerpt_manually_set":false,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/87489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=87489"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/87489\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media\/87658"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=87489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=87489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=87489"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=87489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}