Malware & Ransomware Protection

Change Healthcare: Ransomware’s Impact Spreads Far Beyond Your Company

rectangle Written by: Matthew Delman rectangle 2 5 min read

The Change Healthcare ransomware attack has had one of the biggest and widest impacts in recent years. For six weeks now, most of the revenue cycle management company’s services have been done as they try to recover from the February 21 attack by BlackCat/ALPHV.

Hundreds of healthcare providers have been unable to collect revenue or, in some cases, pay their employees. At least one skilled nursing facility has already closed its doors because of the the financial struggle the attack caused.

This attack and its spreading impact demonstrates how fast the impact of ransomware can snowball through a company’s customer base. Roughly 1 in 3 medical claims in the United States go through Change Healthcare’s systems. The six weeks that most of the company’s systems have been down means that a lot of those transactions were frozen.

While most companies aren’t nearly as central as Change Healthcare, the aftereffects of this incident nevertheless shows that ransomware affects more than the company working to recover.

Ransomware Attacks Affect Customers Too

When a ransomware attack locks down corporate systems, the stoppage in operations has a cascading impact. Most don’t have quite the broad effect on an entire industry that Change Healthcare’s attack did, but they do have an effect on customers.

Ransomware used to lock down data means a company can’t operate its products or services. If you’re offering critical functions to a customer, that means they can’t do their jobs until you resolve the incident. If data is exfiltrated as part of the ransomware attack, that adds a dimension of data theft to the attack.

As it stands, medical facilities and physicians practices have been unable to collect revenue for six weeks because of the Change Healthcare attack. UnitedHealthcare Group also confirmed on March 29, 2024, that data was stolen as part of the attack. This makes the attack even worse, as the data could include personal financial information, health data, and other information on the patient records in Change Healthcare’s database. They could not previously confirm that because there was no safe way to pull information from Change’s database to see.

Recovering from Ransomware Attacks is Complicated

According to recent data, there’s an average of 24 days of downtime following a ransomware attack. This is understandable, as recovering from ransomware is often a complex topic. There are forensic investigations that need to occur and systems that need to be repaired.

In the case of Change Healthcare, their systems needed to be completely rebuilt from scratch. They had to do this for over 100 services that were taken offline as part of the recovery efforts. Engineers and developers have been recreating services and rebooting from backups since the services were taken down on February 21 to prevent the attack from spreading.

As part of recovery, forensics specialists need to try to retain evidence so law enforcement can track back the investigation of what happened and so defenders can work to rectify any security holes. Understanding how the ransomware attack progressed is a vital part of recovery. Once you get a picture of where the intrusion began, it’s possible to protect against an attack happening the same way.

It’s thus necessary to preserve evidence while also working to recover from the attack. This empowers organizations to get a better picture of the attack and ensure it doesn’t happen again.

How Sotero Helps Defend Against Ransomware

Sotero is a data security solution like no other, creating layers for data defense against ransomware. Being purpose-built in the cloud for the cloud, Sotero defends cloud resources against ransomware, blocking the threat of it spreading to internal resources that are mapped to the cloud. Sotero uses advanced behavior-based anomaly detection rather than only a legacy signature-based approach to form a comprehensive ransomware solution. Detection is based on advanced machine learning that creates access and utilization baselines across your cloud infrastructure to detect, monitor, flag, isolate, and stop suspicious activity in real-time.

Sotero ransomware protection gives your organization the advantage of detecting malware at the earliest stages of the attack. It cuts off access, generates alerts, and creates an entire auditable log trail before malware can take hold. With early prevention, your organization eliminates the risk of sensitive data exfiltration and drastically reduces the blast radius to save you costly downtime and recovery time.

To learn how you can stop ransomware attacks before they can take down your organization, contact a data security specialist today!


data protection,

data security,

Ransomware Attacks

Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo