Ransomware group behind Change Healthcare attack goes dark | CyberScoop<\/title> <meta name=\"description\" content=\"ALPHV\/BlackCat reportedly received $22 million from Change Healthcare before scamming its affiliates ahead of a possible rebrand.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ransomware-group-behind-change-healthcare-attack-goes-dark\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Ransomware group behind Change Healthcare attack goes dark\"> <meta property=\"og:description\" content=\"ALPHV\/BlackCat reportedly received $22 million from Change Healthcare before scamming its affiliates ahead of a possible rebrand.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ransomware-group-behind-change-healthcare-attack-goes-dark\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-03-05T20:49:07+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1183\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706643139g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1709662998\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1709325119\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1706739310\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79635\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79635\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fransomware-group-behind-change-healthcare-attack-goes-dark%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fransomware-group-behind-change-healthcare-attack-goes-dark%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79635 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ransomware-group-behind-change-healthcare-attack-goes-dark\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.881028938907\">\n<div class=\"single-article__header-content\" readability=\"30.225663716814\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> ALPHV\/BlackCat reportedly received $22 million from Change Healthcare before scamming its affiliates ahead of a possible rebrand. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"394\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark.jpg?resize=640%2C394&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=300,185 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=768,473 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=1024,631 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=1536,946 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=600,370 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=273,168 273w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=547,337 547w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=1096,675 1096w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-2.jpg?resize=1368,843 1368w\" sizes=\"(max-width: 1096px) 100vw, 1096px\"><figcaption> The concept of financial security, personal data hacking (Anton Petrus\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"69.214629580102\"><body readability=\"138.97739801544\"><\/p>\n<p>The criminal hacking group that <a href=\"https:\/\/cyberscoop.com\/ransomware-alphv-healthcare-pharmacies\/\">claimed credit<\/a> for the crippling ransomware attack on Change Healthcare \u2014 an incident that is roiling U.S. health care providers and threatening some with <a href=\"https:\/\/www.cnbc.com\/2024\/02\/29\/change-healthcare-cyberattack-has-caused-financial-mess-for-doctors.html\">financial ruin<\/a> \u2014 has shuttered its website, posting an apparently fake law enforcement takedown notice and claiming it would sell its source code.<\/p>\n<p>The group, known interchangeably as ALPHV or BlackCat, posted the fake seizure notice some time between late Monday evening and early Tuesday after reports that it had received a ransom payment from Change Healthcare \u2014 and then refused to distribute it to the affiliate that had carried out the attack. <\/p>\n<p>In a post to an underground criminal forum Sunday, a person claiming to be an ALPHV affiliate \u2014 a member of a group that carries out ransomware attacks using ALPHV\u2019s tools in exchange for splitting the proceeds of any ransomware payments \u2014 claimed that Change Healthcare\u2019s parent company had made a $22 million ransom payment. Rather than share the proceeds, ALPHV administrators took the money for themselves, according to <a href=\"http:\/\/x.com\/ddd1ms\/status\/1764639254016102410?s=20\">a screenshot of the post<\/a> highlighted by Recorded Future analyst Dmitry Smilyanets. <\/p>\n<p>By Tuesday, an ALPHV administrator claimed that group had \u201cdecided to completely close the project\u201d because \u201cthe feds screwed us over,\u201d according to <a href=\"http:\/\/x.com\/ddd1ms\/status\/1764979901965201552?s=20(opens%20in%20a%20new%20tab)%20%20Currently%20selected%20link%20settings\">a screenshot of the post<\/a> shared by Smilyanets. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Around the same time, ALPHV put up the apparently fake seizure notice, and in a post to a messaging service used by the group said it was selling its source code for $5 million.<\/p>\n<p>Cybercrime researchers broadly agree that the FBI seizure notice is almost certainly fake and appears to have been copied and pasted from a previous seizure of ALPHV-related infrastructure. Researchers point to several factors supporting the conclusion, including inconsistent HTML source code compared to legitimate seizure notices, the post coinciding with claims that ALPHV administrators have scammed one of their affiliates and the fact that at least one of the law enforcement agencies listed on the takedown notice \u2014 the U.K.\u2019s National Crime Agency \u2014 has denied any involvement.<\/p>\n<p>ALPHV administrators did not respond to a CyberScoop request for comment Tuesday.<\/p>\n<p>A Change Healthcare spokesperson did not respond to questions about the apparent $22 million payment late Monday. \u201cWe remain focused on the investigation and recovery of our operations,\u201d the spokesperson said in an email.<\/p>\n<p>Meanwhile, the <a href=\"https:\/\/www.hhs.gov\/about\/news\/2024\/03\/05\/hhs-statement-regarding-the-cyberattack-on-change-healthcare.html\">U.S. Department of Health and Human Services said Tuesday<\/a> it was taking steps to help facilitate payment processing and other financial support measures to support health care providers, many of whom are facing cash flow problems amid the ongoing ransomware attacks.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CyberScoop could not confirm that Change Healthcare made the payment, which was revealed in the forum post from the angry ALPHV affiliate. That post made reference to a cryptocurrency wallet that received a <a href=\"https:\/\/www.blockchain.com\/explorer\/addresses\/btc\/14Q5xgBHAkWxDVrnHautcm4PPGmy5cfw6b\">March 1 payment of roughly 350 bitcoin<\/a> \u2014 approximately $22.7 million \u2014 which was then <a href=\"https:\/\/www.blockchain.com\/explorer\/addresses\/btc\/14Q5xgBHAkWxDVrnHautcm4PPGmy5cfw6b\">split equally<\/a> between seven additional accounts. Cybercrime researchers have linked the wallet that received the 350 bitcoin payment to previous ALPHV operations. <\/p>\n<p>Cybercrime researchers said that by taking payment and closing up shop, ALPHV appears to be carrying out a classic exit-scam. Researchers caution that ALPHV\/BlackCat will likely rebrand and reemerge in the near future \u2014 as it has before. <\/p>\n<p>Late last year, the FBI carried out a takedown operation against ALPHV, only to see the group immediately restart operations. Will Thomas, a cybercrime researcher and SANS instructor, said that ALPHV affiliates likely lost millions of dollars due to the decryption operations carried out by law enforcement as part of that operation, and it was no surprise that they have decided to shut down. <\/p>\n<p>\u201cBut as this group is a rebrand that can be traced backed to both DarkSide and BlackMatter, it would not be a surprise if they return once more in the not too distant future,\u201d Thomas said.<\/p>\n<p>In <a href=\"https:\/\/www.databreaches.net\/developing-alphv-allegedly-scammed-change-healthcare-and-its-own-affiliate\/\">an interview with the cybercrime blog Databreaches.net<\/a>, a \u201cnow-former\u201d ALPHV admin said that they\u2019d also been locked out of the ALPHV infrastructure, and \u201cconfirmed that the admin(s) had stolen the affiliate\u2019s funds and also confirmed that Change Healthcare had been given a decryptor after they paid.\u201d The former admin also said that a re-branding is \u201cpending.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Fabian Wosar, a ransomware researcher with Emsisoft, <a href=\"https:\/\/x.com\/fwosar\/status\/1765012402314023401?s=20\">described in a series of posts on the social media platform X<\/a> how it was \u201cblatantly obvious\u201d that the group was \u201cexit scamming their affiliates\u201d with the phony law enforcement seizure notice. Wosar pointed to the HTML source code on the website showing signs that it had been copied and pasted from a legitimate seizure.<\/p>\n<p>The notice is identical to the one posted to the old ALPHV site in December after that FBI disruption operation.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"640\" height=\"458\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark.png?resize=640%2C458&ssl=1\" alt class=\"wp-image-79637\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png 1400w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=300,215 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=768,550 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=1024,733 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=600,429 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=235,168 235w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=471,337 471w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=943,675 943w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.png?resize=1178,843 1178w\" sizes=\"(max-width: 1400px) 100vw, 1400px\"><figcaption class=\"wp-element-caption\">The apparently fake seizure notice posted to the ALPHV\/BlackCat website (CyberScoop).<\/figcaption><\/figure>\n<p>The FBI did not respond to multiple requests for comment Tuesday. The <a href=\"https:\/\/www.msn.com\/en-us\/news\/technology\/blackcat-ransomware-site-claims-it-was-seized-uk-law-enforcement-denies-being-behind-disruption\/ar-BB1jmZFn\">U.K.\u2019s National Crime Agency told Reuters<\/a> that it played no role in any disruptions to the ALPHV infrastructure. Neither the Department of Justice nor the U.S. Attorney\u2019s Office for the Southern District of Florida \u2014 both which were specifically mentioned in the notice \u2014 responded to a request for comment.<\/p>\n<p>If confirmed, the $22 million ransom payment could encourage further attacks on the health care sector. \u201cWe saw this in the case of the Conti chat logs where they identified certain sectors of being more likely to pay,\u201d Kurtis Minder, the co-founder and CEO of GroupSense and a longtime ransomware negotiator, told CyberScoop in an online chat, referring to <a href=\"https:\/\/www.cnn.com\/2022\/03\/30\/politics\/ukraine-hack-russian-ransomware-gang\/index.html\">leaked internal documents<\/a> and chats from the Conti ransomware gang that documented how they would target industries with a history of paying ransoms.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>But Minder said he was sympathetic toward executives who chose to pay ransoms. \u201cIn many cases if they don\u2019t pay \/ pay quickly they go out of business or people are harmed.\u201d<\/p>\n<p>Amir Sadon, the director of incident response research with Sygnia, told CyberScoop that in this case it\u2019s not yet clear what happened between the group and its affiliates, what law enforcement\u2019s role was, or whether the group is actually shutting down. <\/p>\n<p>Given the uncertainties, Change Healthcare may receive the short-term relief of having its data decrypted, but that doesn\u2019t mean the threat is over.<\/p>\n<p>\u201cIn most cases, once you pay the ransom, you will have some sort of guarantee that the group who attacked you will keep their part of the deal, but obviously you can never be sure when you are dealing with criminals,\u201d said Sadon, who <a href=\"https:\/\/www.sygnia.co\/blog\/blackcat-ransomware\/\">published an analysis Tuesday<\/a> of a 2023 Sygnia incident response engagement dealing with an ALPHV\/BlackCat attack.<\/p>\n<p>Ultimately, the erratic developments surrounding ALPHV in recent days highlights the nature of this slice of the cybercrime underworld, said Brett Callow, a threat analyst with Emsisoft.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cGangs are sometimes said to be organized like legitimate businesses, but this shows the chaos that exists within the ecosysytem,\u201d he said. \u201cCriminals scamming criminals.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2285067873303\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/ransomware-group-behind-change-healthcare-attack-goes-dark-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/ransomware-group-behind-change-healthcare-attack-goes-dark\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware group behind Change Healthcare attack goes dark | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[950,1652,1603,282,46],"tags":[955,1653,1605,286,54],"class_list":["post-2665","post","type-post","status-publish","format-standard","hentry","category-alphv","category-blackcat","category-change-healthcare","category-cybercrime","category-ransomware","tag-alphv","tag-blackcat","tag-change-healthcare","tag-cybercrime","tag-ransomware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/alphv\/\" rel=\"category tag\">ALPHV<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/blackcat\/\" rel=\"category tag\">BlackCat<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/change-healthcare\/\" rel=\"category tag\">Change Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a>","tag_info":"ransomware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2665"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2665\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2665,"date":"2024-03-05T20:49:07","date_gmt":"2024-03-05T20:49:07","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79635"},"modified":"2024-03-05T20:49:07","modified_gmt":"2024-03-05T20:49:07","slug":"ransomware-group-behind-change-healthcare-attack-goes-dark","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/05\/ransomware-group-behind-change-healthcare-attack-goes-dark\/","title":{"rendered":"Ransomware group behind Change Healthcare attack goes dark"},"content":{"rendered":"