Change Healthcare: How One Ransomware Took Down US Pharmacy
Threat Intelligence
ALPHV's attack on Change Healthcare disrupted 80% of US pharmacy claims for weeks. The post-mortem is a master class in concentrated SaaS risk and the limits of paying.
By Arjun Raghavan, Security & Systems Lead, BIPI · May 6, 2024 · 9 min read
On February 21, 2024, Change Healthcare detected ALPHV/BlackCat ransomware in its environment and pulled the plug on its own infrastructure to contain the spread. Change processes roughly 15 billion healthcare transactions per year and clears claims for an estimated 80 percent of US pharmacies. For weeks afterward, pharmacies could not verify insurance, providers could not get paid, and patients paid cash for prescriptions or went without. This was a SaaS outage with body-count implications.
Timeline
Initial access happened around February 12 via stolen Citrix credentials on a portal that lacked MFA. The actor moved laterally for nine days, harvesting 6 TB of data and staging encryption. On February 21, ALPHV detonated. Change isolated systems, and the US pharmacy network seized. On March 1, ALPHV announced an exit scam after collecting an alleged $22 million ransom from Change, leaving the affiliate who actually did the intrusion unpaid. That affiliate, RansomHub, then re-extorted Change with the same stolen data in April. UnitedHealth Group CEO Andrew Witty testified before Congress in May that the company paid the ransom and was still working through the data exposure.
Root cause: one Citrix server, no MFA
The intrusion vector confirmed in Witty's testimony was a Citrix remote access portal that had been provisioned without MFA. Credentials for that portal were almost certainly bought from an initial access broker. From there, the actor reached Active Directory, escalated privileges, and operated for nine days before detection. There was no novel exploit. No zero-day. A missing MFA toggle on one perimeter system unlocked $872 million in disclosed first-quarter costs and a national pharmacy crisis.
Attacker actions
ALPHV's affiliate ran a standard double-extortion playbook: dwell, dump, detonate. Nine days of dwell time across a complex acquired environment (Change had only recently been folded into UnitedHealth's Optum). They exfiltrated 4 to 6 TB of data including PHI on a still-unknown fraction of Americans (Change initially said 'a substantial proportion', later estimates put it at one in three). They encrypted production systems and demanded a ransom that UnitedHealth paid. ALPHV then exit-scammed and ran with the money, leaving the affiliate to re-extort with the same data. Change paid twice and still saw data leaked.
Detection and the dwell time problem
Nine days is not catastrophic dwell time. It is normal dwell time. Mandiant's M-Trends consistently shows medians in that range for ransomware events. The detection question is not how to shorten dwell to zero but how to catch the loud, terminal phase before encryption fires. The signals during this kind of intrusion are familiar: new domain admin creation, mass file enumeration with tools like SoftPerfect Network Scanner, abnormal SMB traffic to file shares, scheduled task creation across many hosts, and finally, a burst of remote service creation that precedes the encryption command. EDR was the gap. Logging was the gap. The intrusion was not subtle; it was unseen.
Lessons
First, paying does not buy you out. ALPHV took the money and disappeared with the affiliate's cut. The affiliate kept the data and extorted again. That outcome is not a one-off; it is the predictable consequence of paying a criminal who answers to nobody. Second, sector concentration is now a national security question. The pharmacy clearinghouse market has consolidated to the point that one company's bad weekend is a national emergency. Customers should be auditing the concentration risk in their vendor stacks, and regulators should be asking why this much critical infrastructure runs on a single-vendor monoculture.
The BIPI take
MFA enforcement is not a maturity model question. It is a yes/no question on every authenticated surface that touches your network. Change Healthcare is a billion-dollar lesson in the cost of one no answer. If you operate a critical-sector SaaS, you owe your customers concentration-risk transparency: failover modes, paper-process runbooks, and an honest assessment of what breaks when you do.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.