By Raphael Satter and Christopher Bing
WASHINGTON (Reuters) – Hackers working for the ‘Blackcat’ ransomware gang are behind the outage at UnitedHealth’s technology unit that has snarled prescription deliveries for six days, two people familiar with the matter told Reuters on Monday.
The problems began last week after hackers gained access to Change Healthcare’s information technology systems and has led to disruptions at pharmacies across the United States.
Change Healthcare and UnitedHealth did not immediately respond to requests for comment. Blackcat, also known as “ALPHV,” did not immediately respond when asked whether it was responsible.
Alphabet’s cybersecurity unit Mandiant is handling the investigation into the breach, the two people said. In a statement, Mandiant confirmed it “has been engaged in support of the incident response” but declined to comment further.
Blackcat is one of the most notorious of the internet’s many ransomware gangs – groups of cybercriminals who encrypt data to hold it hostage with the aim of securing massive payouts. It has previous struck major businesses including MGM Resorts International and Caesars Entertainment.
In December, Blackcat was the subject of a takedown by U.S.-led international law enforcement, which seized several websites used by the group as well as hundreds of digital keys used to decrypt victims’ data.
The hackers had threatened to retaliate by extorting critical infrastructure providers and hospitals.
CISA, the U.S. cyber watchdog agency, and the FBI also did not immediately respond to emails seeking comment.
One expert said the news suggested that digital disruptions, while important, could not be counted on to knock ransomware groups out for good.
“It’s inevitable that if you have a group that’s making millions of bucks, they are going to attempt to make a comeback,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft.
The allegation that Blackcat was behind the hack at Change Healthcare also raised questions about parent company UnitedHealth’s previous claim that it had been targeted by a “suspected nation-state associated cybersecurity threat actor.”
“I am not aware of any links between ALPHV and a nation state,” Callow said. “As far as I am aware they are financially motivated cybercriminals and nothing more.”
Reuters has not been able to gauge the full extent of the disruption.
A number of pharmacy chains, including CVS Health and Walgreens, have said the outage had knock-on effects on their businesses.
The American Pharmacists Association (APhA) said on Friday many pharmacies across the nation could not transmit insurance claims for their patients following the hack.
It said pharmacies were reporting “significant backlogs of prescriptions,” which they were unable to process.
(Reporting by Raphael Satter and Christopher Bing in Washington; Additional reporting by Pratik Jain in Bengaluru; Editing by Sriraj Kalluvila, Shilpi Majumdar and Bill Berkrot)