‘Decision to pay ransom was mine’ • The Register

/in


UnitedHealth CEO Andrew Witty will tell US lawmakers Wednesday the cybercriminals who hit Change Healthcare with ransomware used stolen credentials to remotely access a Citrix portal that didn’t have multi-factor authentication enabled.

Once they were into that management system, the miscreants were able to move through the network to steal people’s sensitive data and deploy extortionware.

As well as that admission, Witty is also expected to confirm making a payment to the extortionists to presumably prevent a wider leak of that info, which reportedly cost the healthcare giant $22 million

“As chief executive officer, the decision to pay a ransom was mine,” as Witty put it in written testimony [PDF] he will deliver to the House Energy and Commerce Committee on May 1. “This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

The House committee called Witty to explain himself as it is this week probing the Change Healthcare cyberattack. The US Senate Finance Committee is holding a hearing Wednesday along the same lines, and Witty will testify at both inquiries.

Plus, three US Senators on Monday sent a letter [PDF] to the US government’s Cybersecurity and Infrastructure Security Agency (CISA) asking the infosec body to provide details about how it’s helping Change Healthcare recover from the February IT breach, as well as the larger risk from ransomware.

Crims spent nine days snooping around

On February 12, ALPHV ransomware affiliates gained access to the healthcare org’s IT systems using “compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” according to Witty’s upcoming testimony.

“The portal did not have multi-factor authentication,” Witty will testify during the House committee hearing. “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

ALPHV criminals activated its malware on February 21, “encrypting Change’s systems so we could not access them,” according to the written testimony. 

And that’s when hospitals and pharmacies

Source…