U.S.-based banking-as-a-service giant Evolve Bank & Trust said that cybercriminals accessed the personal data of millions of customers during a recent cyberattack.
In a filing with Maine’s attorney general on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 customers based in Maine, was accessed during the incident, the fallout from which continues to grow.
When reached by TechCrunch, Evolve spokesperson Eric Helvie declined to say if the bank expects the number of affected individuals to grow.
Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners.
This list of partners includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, the fintech startup Mercury, said in a post on X that the Evolve breach impacted “some account numbers, deposit balances, business owner names, and emails.”
Money transfer organization Wise (formerly TransferWise) also confirmed last week that “some Wise customers’ personal information may have been involved.”
It’s not yet known whether the list of compromised data types is likely to grow, but Evolve said it’s “still investigating what other personal information was affected, including information regarding our business, trust, and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a February ransomware attack carried out by the Russia-linked LockBit gang, which earlier this year was disrupted by a multi-government operation but whose administrator remains at large.
The bank identified the intrusion in May, when it discovered that the hackers had gained access to its systems. Evolve said it did not pay the hackers’ ransom demand, which led to LockBit publishing the compromised data on its since-revived dark web leak site.
In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded “customer information from Evolve’s databases and a file share during periods in February and May 2024.”
Updated with response from Evolve, declining to answer questions about the breach.
Synapse, backed by a16z, has collapsed, and 10M consumers could be hurt
Image Credits: Patrick T. Fallon / AFP / Getty Images
A ransomware attack earlier this year on UnitedHealth-owned health tech company Change Healthcare likely stands as one of the largest data breaches of U.S. health and medical data in history.
Months after the February data breach, a “substantial proportion of people living in America” are receiving notice by mail that their personal and health information was stolen by cybercriminals during the cyberattack on Change Healthcare.
Change Healthcare processes billing and insurance for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, it collects and stores vast amounts of highly sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change became one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.
Here’s what has happened since the ransomware attack began.
February 21, 2024
First report of outages as security incident emerges
It seemed like an ordinary Wednesday afternoon, until it wasn’t. The outage was sudden. On February 21, billing systems at doctors offices and healthcare practices stopped working, and insurance claims stopped processing. The status page on Change Healthcare’s website was flooded with outage notifications affecting every part of its business, and later that day the company confirmed it was “experiencing a network interruption related to a cyber security issue.” Clearly something had gone very wrong.
It turns out that Change Healthcare invoked its security protocols and shut down its entire network to isolate intruders it found in its systems. That meant sudden and widespread outages across the healthcare sector that relies on a handful of companies — like Change Healthcare — to handle healthcare insurance and billing claims for vast swathes of the United States. It was later determined that the hackers initially broke into the company’s systems over a week earlier, on or around February 12.
February 29, 2024
UnitedHealth confirms it was hit by ransomware gang
After initially (and incorrectly) attributing the intrusion to hackers working for a government or nation-state, UnitedHealth later said on February 29 that the cyberattack was in fact the work of a ransomware gang. UnitedHealth said the gang “represented itself to us as ALPHV/BlackCat,” a company spokesperson told TechCrunch at the time. A dark web leak site associated with the ALPHV/BlackCat gang also took credit for the attack, claiming to have stolen millions of Americans’ sensitive health and patient information, giving the first indication of how many individuals this incident had affected.
ALPHV (aka BlackCat) is a known Russian-speaking ransomware-as-a-service gang. Its affiliates — contractors who work for the gang — break into victim networks and deploy malware developed by ALPHV/BlackCat’s leaders, who take a cut of the profits collected from the ransoms collected from victims to get their files back.
Knowing that the breach was caused by a ransomware gang changed the equation of the attack from the kind of hacking that governments do — sometimes to send a message to another government instead of publishing millions of people’s private information — to a breach caused by financially motivated cybercriminals, who are likely to employ an entirely different playbook to get their payday.
March 3-5, 2024
UnitedHealth pays a ransom of $22 million to hackers, who then disappear
In early March, the ALPHV ransomware gang vanished. The gang’s leak site on the dark web, which weeks earlier took credit for the cyberattack, was replaced with a seizure notice claiming that U.K. and U.S. law enforcement took down the gang’s site. But both the FBI and U.K. authorities denied taking down the ransomware gang as they had attempted months earlier. All signs pointed to ALPHV running off with the ransom and pulling an “exit scam.”
In a posting, the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV leadership stole $22 million paid as a ransom and included a link to a single bitcoin transaction on March 3 as proof of their claim. But despite losing their share of the ransom payment, the affiliate said the stolen data is “still with us.” UnitedHealth had paid a ransom to hackers who left the data behind and disappeared.
A fake law enforcement seizure notice posted on BlackCat’s dark web leak site soon after receiving a ransom payment of $22 million.Image Credits: TechCrunch (screenshot)
March 13, 2024
Widespread disruption across U.S. healthcare amid fears of data breach
Meanwhile, weeks into the cyberattack, outages were still ongoing with many unable to get their prescriptions filled or having to pay cash out of pocket. Military health insurance provider TriCare said “all military pharmacies worldwide” were affected as well.
The American Medical Association was saying there was little information from UnitedHealth and Change Healthcare about the ongoing outages, causing massive disruption that continued to ripple across the healthcare sector.
By March 13, Change Healthcare had received a “safe” copy of the stolen data that it had just days earlier paid $22 million for. This allowed Change to begin the process of poring through the dataset to determine whose information was stolen in the cyberattack, with the aim of notifying as many affected individuals as possible.
March 28, 2024
U.S. government ups its bounty to $10 million for information leading to ALPHV capture
By late March, the U.S. government said it was upping its bounty for information on key leadership of ALPHV/BlackCat and its affiliates.
By offering $10 million to anyone who can identify or locate the individuals behind the gang, the U.S. government seemed to hope that one of the gang’s insiders would turn on their former leaders. It also could be seen as the U.S. realizing the threat of having a significant number of Americans’ health information potentially published online.
April 15, 2024
Contractor forms new ransom gang and publishes some stolen health data
And then there were two — ransoms, that is. By mid-April, the aggrieved affiliate set up a new extortion racket called RansomHub, and since it still had the data that it stole from Change Healthcare, it demanded a second ransom from UnitedHealth. In doing so, RansomHub published a portion of the stolen files containing what appeared to be private and sensitive patient records as proof of their threat.
Ransomware gangs don’t just encrypt files; they also steal as much data as possible and threaten to publish the files if a ransom isn’t paid. This is known as “double extortion.” In some cases when the victim pays, the ransomware gang can extort the victim again — or, in others, extort the victim’s customers, known as “triple extortion.”
Now that UnitedHealth was willing to pay one ransom, there was a risk that the healthcare giant would be extorted again. It’s why law enforcement have long advocated against paying a ransom that allows criminals to profit from cyberattacks.
April 22, 2024
UnitedHealth says ransomware hackers stole health data on a “substantial proportion of people in America”
For the first time, UnitedHealth confirmed on April 22 — more than two months after the ransomware attack began — that there was a data breach and that it likely affects a “substantial proportion of people in America,” without saying how many millions of people that entails. UnitedHealth also confirmed it paid a ransom for the data but would not say how many ransoms it ultimately paid.
The company said that the stolen data includes highly sensitive information, including medical records and health information, diagnoses, medications, test results, imaging and care and treatment plans, and other personal information.
Given that Change Healthcare handles data on about one-third of everyone living in the United States, the data breach is likely to affect more than 100 million people at least. When reached by TechCrunch, a UnitedHealth spokesperson did not dispute the likely affected number but said that the company’s data review was ongoing.
May 1, 2024
UnitedHealth Group chief executive testifies that Change wasn’t using basic cybersecurity
Perhaps unsurprisingly when your company has had one of the biggest data breaches in recent history, its chief executive is bound to get called to testify before lawmakers.
That’s what happened with UnitedHealth Group (UHG) chief executive Andrew Witty, who on Capitol Hill admitted that the hackers broke into Change Healthcare’s systems using a single set password on a user account not protected with multi-factor authentication, a basic security feature that can prevent password reuse attacks by requiring a second code sent to that account holder’s phone.
One of the biggest data breaches in U.S. history was entirely preventable, was the key message. Witty said that the data breach was likely to affect about one-third of people living in America — in line with the company’s previous estimates that the breach affects around as many people that Change Healthcare processes healthcare claims for.
UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024, in Washington, D.C.Image Credits: Kent Nishimura / Getty Images
June 20, 2024
UHG starts notifying affected hospitals and medical providers what data was stolen
It took Change Healthcare until June 20 to begin formally notifying affected individuals that their information was stolen, as legally required under a law commonly known as HIPAA, likely delayed in part by the sheer size of the stolen dataset.
The company published a notice disclosing the data breach and said that it would begin notifying individuals it had identified in the “safe” copy of the stolen data. But Change said it “cannot confirm exactly” what data was stolen about each individual and that the information may vary from person to person. Change says it was posting the notice on its website, as it “may not have sufficient addresses for all affected individuals.”
The incident was so big and complex that the U.S. Department of Health and Human Services stepped in and said that affected healthcare providers, whose patients are ultimately affected by the breach, can ask UnitedHealth to notify affected patients on their behalf, an effort seen at lessening the burden on smaller providers whose finances were hit amid the ongoing outage.
July 29, 2024
Change Healthcare begins notifying known affected individuals by letter
The health tech giant confirmed in late June that it would begin notifying those whose healthcare data was stolen in its ransomware attack on a rolling basis. That process began in late July.
The letters going out to affected individuals will most likely come from Change Healthcare, if not the specific healthcare provider affected by the hack at Change. The letter confirms what kinds of data was stolen, including medical data and health insurance information, and claims and payment information, which Change said includes financial and banking information.
U.S.-based banking-as-a-service giant Evolve Bank & Trust said that cybercriminals accessed the personal data of millions of customers during a recent cyberattack.
In a filing with Maine’s attorney general on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 customers based in Maine, was accessed during the incident, the fallout from which continues to grow.
When reached by TechCrunch, Evolve spokesperson Eric Helvie declined to say if the bank expects the number of affected individuals to grow.
Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners.
This list of partners includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, the fintech startup Mercury, said in a post on X that the Evolve breach impacted “some account numbers, deposit balances, business owner names, and emails.”
Money transfer organization Wise (formerly TransferWise) also confirmed last week that “some Wise customers’ personal information may have been involved.”
It’s not yet known whether the list of compromised data types is likely to grow, but Evolve said it’s “still investigating what other personal information was affected, including information regarding our business, trust, and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a February ransomware attack carried out by the Russia-linked LockBit gang, which earlier this year was disrupted by a multi-government operation but whose administrator remains at large.
The bank identified the intrusion in May, when it discovered that the hackers had gained access to its systems. Evolve said it did not pay the hackers’ ransom demand, which led to LockBit publishing the compromised data on its since-revived dark web leak site.
In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded “customer information from Evolve’s databases and a file share during periods in February and May 2024.”
Updated with response from Evolve, declining to answer questions about the breach.
Synapse, backed by a16z, has collapsed, and 10M consumers could be hurt
U.S.-based banking-as-a-service giant Evolve Bank & Trust has said that cybercriminals accessed the personal data of millions of customers during a recent cyberattack.
In a filing with Maine’s attorney general on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 customers based in Maine, was accessed during the incident, the fallout from which continues to grow.
TechCrunch asked Evolve if this number is likely to increase but has yet to receive a response.
Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers, and contact information belonging to its personal banking customers, the personal data of Evolve employees, and information belonging to customers of its financial technology partners.
This list of partners includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, the fintech startup Mercury, said in a post on X that the Evolve breach impacted “some account numbers, deposit balances, business owner names, and emails.”
Money transfer organization Wise (formerly TransferWise) also confirmed last week that “some Wise customers’ personal information may have been involved.”
It’s not yet known whether the list of compromised data types is likely to grow, but Evolve said it’s “still investigating what other personal information was affected, including information regarding our business, trust, and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a February ransomware attack carried out by the Russia-linked LockBit gang, which earlier this year was disrupted by a multi-government operation but whose administrator remains at large.
The bank identified the intrusion in May, when it discovered that the hackers had gained access to its systems. Evolve said it did not pay the hackers’ ransom demand, which led to LockBit publishing the compromised data on its since-revived dark web leak site.
In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded “customer information from Evolve’s databases and a file share during periods in February and May 2024.”
Synapse, backed by a16z, has collapsed, and 10M consumers could be hurt
For many organizations and startups, 2023 was a rough year financially, with companies struggling to raise money and others making cuts to survive. Ransomware and extortion gangs, on the other hand, had a record-breaking year in earnings, if recent reports are anything to go by.
It’s hardly surprising when you look at the state of the ransomware landscape. Last year saw hackers continue to evolve their tactics to become scrappier and more extreme in efforts to pressure victims into paying their increasingly exorbitant ransom demands. This escalation in tactics, along with the fact that governments have stopped short of banning ransom payments, led to 2023 becoming the most lucrative year yet for ransomware gangs.
The billion-dollar cybercrime business
According to new data from crypto forensics startup Chainalysis, known ransomware payments almost doubled in 2023 to surpass the $1 billion mark, calling the year a “major comeback for ransomware.”
That’s the highest figure ever observed, and almost double the amount of known ransom payments tracked in 2022. But Chainalysis said the actual figure is likely far higher than the $1.1 billion in ransom payments it has witnessed so far.
There’s a glimmer of good news, though. While 2023 was overall a bumper year for ransomware gangs, other hacker-watchers observed a drop in payments toward the end of the year.
This drop is a result of improved cyber defenses and resiliency, along with the growing sentiment that most victim organizations don’t trust hackers to keep their promises or delete any stolen data as they claim. “This has led to better guidance to victims and fewer payments for intangible assurances,” according to ransomware remediation company Coveware.
Record-breaking ransoms
While more ransomware victims are refusing to line the pockets of hackers, ransomware gangs are compensating for this drop in earnings by increasing the number of victims they target.
Take the MOVEit campaign. This huge hack saw the prolific Russia-linked Clop ransomware gang mass-exploit a never-before-seen vulnerability in the widely used MOVEit Transfer software to steal data from the systems of more than 2,700 victim organizations. Many of the victims are known to have paid the hacking group in efforts to prevent the publication of sensitive data.
While it’s impossible to know exactly how much money the mass-hack made for the ransomware group, Chainalysis said in its report that Clop’s MOVEit campaign amassed over $100 million in ransom payments, and accounted for almost half of all ransomware value received in June and July 2023 during the height of this mass-hack.
MOVEit was by no means the only money-making campaign of 2023.
In September, casino and entertainment giant Caesars paid roughly $15 million to hackers to prevent the disclosure of customer data stolen during an August cyberattack.
This multimillion-dollar payment perhaps illustrates why ransomware actors continue to make so much money: the Caesars attack barely made it into the news, while a subsequent attack on hotel giant MGM Resorts — which has so far cost the company $100 million to recover from — dominated headlines for weeks. MGM’s refusal to pay the ransom led to the hackers’ release of sensitive MGM customer data, including names, Social Security numbers and passport details. Caesars — outwardly at least — appeared largely unscathed, even if by its own admission could not guarantee that the ransomware gang would delete the company’s stolen data.
Escalating threats
For many organizations, like Caesars, paying the ransom demand seems like the easiest option to avoid a public relations nightmare. But as the ransom money dries up, ransomware and extortion gangs are upping the ante and resorting to escalating tactics and extreme threats.
In December, for example, hackers reportedly tried to pressure a cancer hospital into paying a ransom demand by threatening to “swat” its patients. Swatting incidents rely on malicious callers falsely claiming a fake real-world threat to life, prompting the response of armed police officers.
We also saw the notorious Alphv (known as BlackCat) ransomware gang weaponize the U.S. government’s new data breach disclosure rules against MeridianLink, one of the gang’s many victims. Alphv accused MeridianLink of allegedly failing to publicly disclose what the gang called “a significant breach compromising customer data and operational information,” for which the gang took credit.
No ban on ransom payments
Another reason ransomware continues to be lucrative for hackers is that while not advised, there’s nothing stopping organizations paying up — unless, of course, the hackers have been sanctioned.
To pay or not to pay the ransom is a controversial subject. Ransomware remediator Coveware suggests that if a ransom payment ban was imposed in the U.S. or any other highly victimized country, companies would likely stop reporting these incidents to the authorities, reversing past cooperation between victims and law enforcement agencies. The company also predicts that a ransom payments ban would lead to the overnight creation of a large illegal market for facilitating ransomware payments.
Others, however, believe a blanket ban is the only way to ensure ransomware hackers can’t continue to line their pockets — at least in the short term.
Allan Liska, a threat intelligence analyst at Recorded Future, has long opposed banning ransom payments — but now believes that for as long as ransom payments remain lawful, cybercriminals will do whatever it takes to collect them.
“I’ve resisted the idea of blanket bans on ransom payments for years, but I think that has to change,” Liska told TechCrunch. “Ransomware is getting worse, not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them.”
“A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short-term increase in ransomware attacks, but it seems like this is the only solution that has a chance of long-term success at this point,” said Liska.
While more victims are realizing that paying the hackers cannot guarantee the safety of their data, it’s clear that these financially motivated cybercriminals aren’t giving up their lavish lifestyles anytime soon. Until then, ransomware attacks will remain a major money-making exercise for the hackers behind them.
Read more on TechCrunch:
Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threat
When a hacker called the company that his gang claimed to breach, he felt the same way that most of us feel when calling the front desk: frustrated.
The phone call between the hacker, who claims to represent the ransomware gang DragonForce, and the victim company employee was posted by the ransomware gang on its dark web site in an apparent attempt to put pressure on the company to pay a ransom demand. In reality, the call recording just shows a somewhat hilarious and failed attempt to extort and intimidate a company’s rank-and-file employees.
The recording also shows how ransomware gangs are always looking for different ways to intimidate the companies they hack.
“It’s increasingly common for threat actors to make contact via telephone, and this should be factored into organizations’ response plans. Do we engage or not? Who should engage? You don’t want to be making these decisions while the threat actor is listening to your hold music,” said Brett Callow, a threat analyst at Emsisoft.
In the call, the hacker asks to speak with the “management team.” Instead, two different employees put him on hold until Beth, from HR, answers the call.
“Hi, Beth, how are you doing?” the hacker said.
After a minute in which the two have trouble hearing each other, Beth tells the hacker that she is not familiar with the data breach that the hacker claimed. When the hacker attempts to explain what’s going on, Beth interrupts him and asks: “Now, why would you attack us?”
“Is there a reason why you chose us?” Beth insists.
“No need to interrupt me, OK? I’m just trying to help you,” the hacker responds, growing increasingly frustrated.
The hacker then proceeds to explain to Beth that the company she works for only has eight hours to negotiate before the ransomware gang will release the company’s stolen data.
“It will be published for public access, and it will be used for fraudulent activities and for terrorism by criminals,” the hacker says.
“Oh, OK,” says Beth, apparently nonplussed, and not understanding where the data is going to be.
“So it will be on X?” Beth asks. “So is that Dragonforce.com?”
The hacker then threatens Beth, saying they will start calling the company’s clients, employees and partners. The hacker adds that they have already contacted the media and provided a recording of a previous call with one of her colleagues, which is also on the gang’s dark web site.
“So that includes a conversation with Patricia? Because you know, that’s illegal in Ohio,” Beth says.
“Excuse me?” the hacker responds.
“You can’t do that in Ohio. Did you record Patricia?” Beth continues.
“Ma’am, I am a hacker. I don’t care about the law,” responds the hacker, growing even more frustrated.
Then the hacker tries one more time to convince Beth to negotiate, to no avail.
“I would never negotiate with a terrorist or a hacker as you call yourself,” Beth responds, asking the hacker to confirm a good phone number to call them back.
When the hacker says they “got no phone number,” Beth has had enough.
“Alright, well then I’m just gonna go ahead and end this phone call now,” she says. “I think we spent enough time and energy on this.”
“Well, good luck,” Beth says.
“Thank you, take care,” the hacker says.
The company that was allegedly hacked in this incident, which TechCrunch is not naming as to not help the hackers extort the company, did not respond to a request for comment.
Read more on TechCrunch:
Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threatWhy are ransomware gangs making so much money?
