Hackers demand $1.5 million in Bitcoin after claiming to steal 800,000 internal Wynn Resorts employee records
The stolen data contains sensitive personal information including Social Security numbers, salaries, and birth dates
The extortionists used an Oracle vulnerability and vishing tactics to compromise Wynn’s internal systems
A prolific data‑theft and extortion gang claims to have stolen 800,000 internal records from Wynn Resorts and wants at least $1.5 million in Bitcoin to prevent a leak, according to The Register.
A cyberhacker gang has claimed to have stolen personal information from thousands of current and former employees of Wynn Resorts. (Image: Shutterstock)
The records reportedly include the full names, Social Security numbers, email addresses, phone numbers, job titles, salaries, start dates and birthdays of current and former Wynn employees.
The hacking crew, known as ShinyHunters, posted Wynn’s name on its leak site last week and is
Wynn Resorts, which operates major luxury properties in Las Vegas and Macau, has not confirmed the breach and did not respond to inquiries from multiple outlets.
A stock representation of a cyberhacker. (Image: Shutterstock)
ShinyHunters told The Register that it gained access to Wynn’s systems in September 2025 by exploiting an Oracle PeopleSoft vulnerability using an employee’s credentials. The group did not specify whether those credentials were stolen through social engineering or purchased from an insider.
ShinyHunters has increasingly relied on voice phishing, or “vishing,” to impersonate IT staff and trick employees into surrendering login credentials and multi‑factor authentication codes. This method mirrors the tactics used by Scattered Spider, the group responsible for the 2023 cyberattacks on MGM Resorts and Caesars Entertainment, which resulted in ransomware deployment, operational disruptions, and the theft of tens of thousands of customer records.
ShinyHunters, Scattered Spider, and the hacking collective LAPSUS$ are now believed to operate under a loose co-branded extortion identity sometimes referred to as Scattered LAPSUS$ Hunters. Cybersecurity researchers emphasize that this is not a formal merger but a fluid collaboration among threat clusters that share infrastructure and techniques.
In addition to leaking its data, ShinyHunters has also threated Wynn Resorts with “several annoying problems that’ll come your way” if the company refuses to comply by deadline.
Wynn Resorts has not publicly confirmed the breach or responded to inquiries from multiple outlets.
U.S. prosecutors have charged two rogue employees of a cybersecurity company that specializes in negotiating ransom payments to hackers on behalf of their victims, with carrying out ransomware attacks of their own.
Last month, the Department of Justice indicted Kevin Tyler Martin and another unnamed employee, who both worked as ransomware negotiators at DigitalMint, with three counts of computer hacking and extortion related to a series of attempted ransomware attacks against at least five U.S.-based companies.
Prosecutors also charged a third individual, Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia, as part of the scheme.
The three are accused of hacking into companies, stealing their sensitive data, and deploying ransomware developed by the ALPHV/BlackCat group.
The ALPHV/BlackCat gang operates as a ransomware-as-a-service model, in which the gang develops the file-encrypting malware used to steal and scramble the victims’ data, while its affiliates — such as the three individuals indicted — carry out the hacks and deploy the gang’s ransomware. The gang then takes a cut of the profits made from any ransom payments.
According to an FBI affidavit filed in September, the rogue employees received more than $1.2 million in ransom payments from one victim, a medical device maker in Florida. They also targeted several other companies, including a Virginia-based drone maker and a Maryland-headquartered pharmaceutical company.
Sygnia chief executive Guy Segal confirmed to TechCrunch that Goldberg was a Sygnia employee and was terminated after Sygnia learned of his alleged involvement with the ransomware attacks. The company declined to comment further citing the FBI’s ongoing investigation.
DigitalMint president Marc Grens told TechCrunch that Martin was an employee at the time of the alleged hacks, but said Martin was “acting completely outside the scope of his employment.”
Grens also confirmed that the unnamed individual may be a former employee. DigitalMint is also cooperating with the government’s investigation, said Grens.
AI is everywhere these days. And cybersecurity is no exception.
A closer look at the latest installment of the Fortune Cyber 60 list, which ranks the most promising cybersecurity startups, shows just how pervasive artificial intelligence has become in the field. Of the 14 new startups on the list in the “early-stage” category, just about all are focused squarely on AI.
And pretty much every company on the list, regardless of stage or size, is leaning heavily into AI.
“I would say at this point [the list] is wall-to-wall focused on AI and on enabling the safe use of AI,” says Guru Chahal, a partner at Lightspeed Venture Partners, which created the Cyber 60 in partnership with Fortune.
For corporations today, AI is an inescapable fact of life: Business leaders are under pressure to incorporate AI technology into their operations; hackers are arming themselves with AI to devise ever more sophisticated attacks; and employees are using their own AI tools at work, creating privacy and security risks that an employer may not even be aware of.
According to a survey that Lightspeed conducted of 200 chief security officers at companies with more than $500 million in annual revenue, 75% reported that they have experienced, or suspect they have experienced, an AI-related security incident in the past 12 months.
The pervasiveness of the problem and the breadth of potential risks are reflected in the assortment of AI-focused security tools provided by the companies on this year’s Cyber 60.
Products from companies like Cogent Security, 7AI, Prophet, and Dropzone AI, for instance, automate some of the routine defensive tactics that companies perform, using agents to send out alerts and escalate incident reports. That’s a strong selling point at a time when many organizations are struggling to find qualified candidates to fill security roles.
Startups such as Virtue AI, WitnessAI, Zenity, and Astrix Security focus on the security of the AI tools that are being used by employees within the workplace—both the tools that are officially approved and used by the companies, as well as the “ghost” tech that individual employees might use on their own.
Larger cyber startups are moving aggressively to bolster their product offerings for the evolving threat landscape. In September, Cato Networks, a repeat Cyber 60 company in the “growth-stage” category, acquired Aim Security, a startup focused on secure deployment of AI within the enterprise. Chainguard, another repeat Cyber 60 startup that’s focused on security vulnerabilities in open-source software, raised an additional $280 million in funding last week.
Meanwhile, two of the largest Cyber 60 startups from last year’s list have “graduated” this year. In September, Netskope listed shares on the Nasdaq, raising more than $900 million in its IPO. And Wiz was acquired by Google for a whopping $32 billion.
It’s a testament to the growing importance of cybersecurity within the IT industry, says Lightspeed’s Chahal. The rapid advances of AI and the ceaseless scheming of cybercriminals and hackers make cyber startups one of the most dynamic and innovative sectors of the tech industry, Chahal says.
“It’s the only market where you have an active adversary on the other side,” he notes. “As soon as you up your game, they up theirs.”
Building vehicles is a hugely complex process. Hundreds of different companies provide parts, materials, electronics, and more to vehicle manufacturers, and these expansive supply chain networks often relyupon “just-in-time” manufacturing. That means they order parts and services to be delivered in the specific quantities that are needed and exactly when they need them—large stockpiles of parts are unlikely to be held by auto makers.
“The supplier networks that are supplying into these manufacturing plants, they’re all set up for efficiency—economic efficiency, and also logistic efficiency,” says Siraj Ahmed Shaikh, a professor in systems security at Swansea University. “There’s a very carefully orchestrated supply chain,” Shaikh adds, speaking about automotive manufacturing generally. “There’s a critical dependency for those suppliers supplying into this kind of an operation. As soon as there is a disruption at this kind of facility, then all the suppliers get affected.”
One company that makes glass sun roofs has started laying off workers, according to a report in the Telegraph. Meanwhile, another firm told the BBC it has laid off around 40 people so far. French automotive company OPmobility, which employs 38,000 people across 150 sites, told WIRED it is making some changes and monitoring the events. “OPmobility is reconfiguring its production at certain sites as a consequence of the shutdown of its production by one of its customers based in the United Kingdom and depending on the evolution of the situation,” a spokesperson for the firm says.
While it is unclear which specific JLR systems have been impacted by the hackers and what systems JLR took offline proactively, many were likely taken offline to stop the attack from getting worse. “It’s very challenging to ensure containment while you still have connections between various systems,” says Orla Cox, head of EMEA cybersecurity communications at FTI Consulting, which responds to cyberattacks and works on investigations. “Oftentimes as well, there will be dependencies on different systems: You take one down, then it means that it has a knock on effect on another.”
Whenever there’s a hack in any part of a supply chain—whether that is a manufacturer at the top of the pyramid or a firm further down the pipeline—digital connections between companies may be severed to stop attackers from spreading from one network to the next. Connections via VPNs or APIs may be stopped, Cox says. “Some may even take stronger measures such as blocking domains and IP addresses. Then things like email are no longer usable between the two organizations.”
The complexity of digital and physical supply chains, spanning across dozens of businesses and just-in-time production systems, means it is likely that bringing everything back online and up to full-working speed may take time. MacColl, the RUSI researcher, says cybersecurity issues often fail to be debated at the highest level of British politics—but adds this time could be different due to the scale of the disruption. “This incident has the potential to cut through because of the job losses and the fact that MPs in constituencies affected by this will be getting calls,” he says. That breakthrough has already begun.
Hackers breach system responsible for New Orleans bond transactions, jail releases – CBS News
Watch CBS News
A notorious ransomware group has claimed responsibility for a cyberattack at the Orleans Parish Sheriff’s Office. CBS News national reporter Kati Weis has the details.
Russian, Chinese, and Iranian state-backed hackers have been active throughout the 2024 United States campaign season, compromising digital accounts associated with political campaigns, spreading disinformation, and probing election systems. But in a report from early October, the threat-sharing and coordination group known as the Election Infrastructure ISAC warned that cybercriminals like ransomware attackers pose a far greater risk of launching disruptive attacks than foreign espionage actors.
While state-backed actors were emboldened following Russia’s meddling in the 2016 US presidential election, the report points out that they favor intelligence-gathering and influence operations rather than disruptive attacks, which would be viewed as direct hostility against the US government. Ideologically and financially motivated actors, on the other hand, generally aim to cause disruption with hacks like ransomware or DDoS attacks.
The document was first obtained by the national security transparency nonprofit Property of the People and viewed by WIRED. The US Department of Homeland Security, which contributed to the report and distributed it, did not return WIRED’s requests for comment. The Center for Internet Security, which runs the Election Infrastructure ISAC, declined to comment.
“Since the 2022 midterm elections, financially and ideologically motivated cyber criminals have targeted US state and local government entity networks that manage or support election processes,” the alert states. “In some cases, successful ransomware attacks and a distributed denial-of-service (DDoS) attack on such infrastructure delayed election-related operations in the affected state or locality but did not compromise the integrity of voting processes … Nation-state-affiliated cyber actors have not attempted to disrupt US elections infrastructure, despite reconnaissance and occasionally acquiring access to non-voting infrastructure.”
According to DHS statistics highlighted in the report, 95 percent of “cyber threats to elections” were unsuccessful attempts by unknown actors. Two percent were unsuccessful attempts by known actors, and 3 percent were successful attempts “to gain access or cause disruption.” The report emphasizes that threat intelligence sharing and collaboration between local, state, and federal authorities help prevent breaches and mitigate the fallout of successful attacks.
In general, government-backed hackers may stoke geopolitical tension by conducting particularly aggressive digital espionage, but their activity isn’t inherently escalatory so long as they are abiding by espionage norms. Criminal hackers are bound by no such restrictions, though they can call too much attention to themselves if their attacks are too disruptive and risk a law enforcement crackdown.
Pavel Durov, the founder and CEO of the communication app Telegram, was arrested in France on Saturday as part of an investigation into his and Telegram’s alleged failure to moderate illegal content on the platform, among other allegations. After being detained for four days, he was charged on Wednesday evening, barred from leaving France, and released on the condition of posting a €5 million ($5.5 million) bail and reporting to a French police station twice a week. The Paris prosecutor’s office said on Wednesday that Durov faces complicity charges related to child sexual abuse material and drug trafficking, as well charges for importing cryptology without prior declaration, and a “near-total absence” of cooperation with French authorities.
“Nudify” deepfake websites that generate images of people’s naked bodies without their consent have been incorporating mainstream single sign-on authentication systems into their websites, a WIRED investigation found. Discord and Apple are terminating some developers’ accounts over this usage.
Microsoft published research on Wednesday about a new multistage backdoor that the notorious Iranian hacking group APT 33 or Peach Sandstorm has been using to target victims in sectors including satellite, communications equipment, and oil and gas. And Google researchers found that suspected Russian hackers compromised Mongolian government websites between November 2023 and July 2024 and then infected vulnerable users who visited the sites with malware. Crucially, the attackers compromised targets using exploits that were identical or very similar to hacking tools created by the commercial spyware vendors NSO Group and Intellexa.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
The US Central Intelligence Agency provided Austrian law enforcement with crucial intelligence that led to the arrest of suspects who were allegedly plotting to attack Taylor Swift concerts in Austria at the beginning of the month. All three of the singer’s planned concerts were canceled at Vienna’s Ernst Happel Stadium because of the threat. CIA deputy director David Cohen said at the Insa intelligence conference on Wednesday, “Within my agency and others there were people who thought that was a really good day for Langley and not just the Swifties in my workforce.”
The central suspect is a 19-year-old Austrian of North Macedonian background who reportedly made a full confession. Austrian law enforcement also arrested an 18-year-old and a 17-year-old in relation to the plot. Cops also reportedly interrogated a 15-year-old. The plot was allegedly inspired by the Islamic State and included plans to attack fans outside the venue with knives or explosives. Earlier this month, Austrian interior minister Gerhard Karner said foreign intelligence agencies contributed to the investigation because Austrian law bars text message surveillance.
“They were plotting to kill a huge number, tens of thousands of people at this concert, including I am sure many Americans, and were quite advanced in this,” the CIA’s Cohen said at the conference. “The Austrians were able to make those arrests because the agency and our partners in the intelligence community provided them information about what this ISIS-connected group was planning to do.”
Hackers who may be backed by the Chinese government have been exploiting a recently patched vulnerability in network management virtualization software known as Versa Director to compromise at least four US-based internet service providers and steal authentication credentials used by their customers. Researchers from Lumen’s Black Lotus Labs, said on Thursday that the attacks began as early as June 12 and are likely still going on. Hackers exploit the Versa Director vulnerability to install remote access malware that Lumen dubbed allow “VersaMem.”
“Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time,” the researchers wrote in a blog post. “Lumen Technologies shared threat intelligence to warn appropriate US government agencies of the emerging risks that could impact our nation’s strategic assets.”
The movie studio coalition known as the Alliance for Creativity and Entertainment said on Thursday that Hanoi police have investigated and taken down the Vietnam-based pirate streaming service Fmovies and its affiliates. The working group said it collaborated with law enforcement and provided information about Fmovies, which it called “the largest pirate streaming operation in the world.” The group added that Fmovies and its affiliate sites—which included bflixz, flixtorz, movies7, myflixer, and aniwave—had more than 6.7 billion visits between January 2023 and June 2024. The law enforcement operation also led to the takedown of video hosting provider Vidsrc.to and its affiliates because these services were allegedly “operated by the same suspects.” Hanoi police have arrested two men in connection with the case.
Following a digital attack against dozens of French museums during the Olympic Games earlier this month, the ransomware gang known as Brain Cipher has claimed responsibility for the hacks and is threatening to leak 300 GB of stolen data from the museums. Le Grand Palais and dozens of other French national museums and cultural organizations are overseen by Réunion des Musées Nationaux – Grand Palais and reportedly all use some shared digital infrastructure, which the attackers targeted.
Cybersecurity investigators worry ransomware attacks may worsen as young, native-English speaking hackers in the U.S., U.K. and Canada team up with Russian hackers.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
Two Russian nationals pleaded guilty to their roles in ransomware attacks in the U.S., Asia, Europe and Africa for a notorious hacking gang known as LockBit.
Ruslan Magomedovich Astamirov and Mikhail Vasiliev admitted they helped to deploy the ransomware variant, which first appeared in 2020. It soon became one of the most destructive in the world, leading to attacks against more than 2,500 victims and ransom payments of at least $500 million, according to the Justice Department.
The men pleaded guilty Thursday in federal court in Newark, New Jersey, where six people have been charged over LockBit attacks, including Dimitry Yuryevich Khoroshev, described by the US as the creator, developer and administrator of the group. US authorities are offering a reward of up to $10 million for his arrest.
Astamirov, 21, of the Chechen Republic, and Vasiliev, 34, of Bradford, Ontario, pleaded guilty to charges including conspiracy to commit computer fraud and abuse.
LockBit is the name of a ransomware variant, a type of malicious code that locks up computers before hackers demand a ransom to unlock them. Hacking gangs are often known by the name of their ransomware variant. LockBit successfully deployed a ransomware-as-a-service model, in which “affiliates” lease the malicious code and do the actual hacking, in exchange for paying the the gang’s leaders a cut of their illegal proceeds. Astamirov and Vasiliev were affiliates, according to the Justice Department.
In recent years, the US and its allies have aggressively tried to curb ransomware attacks by sanctioning hackers or entities associated with them or disrupting the online infrastructure of cybercriminal gangs. But many hackers are located in places such as Russia, which provide them safe haven, making it difficult for Western law enforcement to arrest them.
In February, US and UK authorities announced they disrupted LockBit operations, arresting alleged members, seizing servers and cryptocurrency accounts, and recovering decryption keys to unlock hijacked data.
“We’ve dealt significant blows to destructive ransomware groups like LockBit, as we did earlier this year, seizing control of LockBit infrastructure and distributing decryption keys to their victims,” said Deputy Attorney General Lisa Monaco, in a statement.
Vasiliev deployed LockBit against at least 12 victims, including an educational facility in the UK and a school in Switzerland, the US said. He was arrested by Canadian authorities in November 2022 and extradited to the US in June.
Astamirov was arrested by the FBI last year. In May 2023, he agreed to an interview with FBI agents in Arizona, where they seized his electronic devices. He initially denied having anything to do with an email account through a Russian-based provider, but agents later found records related to it on his devices, according to the arrest complaint. Records showed that Astamirov used the email to “create multiple online accounts under names either fully or nearly identical to his own name,” the complaint said.
After August 2020, Astamirov executed cyberattacks on at least five victims, according to the FBI complaint. They included: businesses in France and West Palm Beach, Florida; a Tokyo firm, which refused to pay a ransom, leading the group to post stolen data on a “leak site” of extortion victims; a Virginia company that stopped an attack after 24,000 documents were stolen; and a Kenyan business that agreed to pay ransom after some of its stolen data was posted to the LockBit website.
Both are scheduled to be sentenced on Jan. 8, 2025.
Recommended Newsletter:
CEO Daily provides key context for the news leaders need to know from across the world of business. Every weekday morning, more than 125,000 readers trust CEO Daily for insights about–and from inside–the C-suite. Subscribe Now.
In a note to clients Saturday, CDK for the first time acknowledged that the hackers that made its dealer management system, or DMS, unavailable to clients for days, are demanding a ransom to restore its systems.
“Thank you for your patience as we recover from the cyber ransom event that occurred on June 19th,” CDK said in a memo to clients on Saturday, according to a copy of the email obtained by CBS MoneyWatch.
CDK added in the note that it has started restoring its systems and expects the process of bringing major applications back online “to take several days and not weeks.”
Beware of phishing
In its memo, the company also warned car dealerships to be alert to phishing scams, or entities posing as CDK but who are in fact bad actors trying to obtain proprietary information like customers’ passwords.
A CDK spokesperson told CBS MoneyWatch that it is providing customers “with alternate ways to conduct business” while its systems remain inoperative.
The cybercriminals behind the CDK attack are linked to a group called BlackSuit, Bloomberg reported on Monday, citing Allan Liska of computer security firm Recorded Future. In a June 21 story, the media outlet also said the hackers were demanding tens of millions of dollars and that CDK planned to pay the ransom.
Liska didn’t immediately respond to a request for comment. CDK itself hasn’t pointed to any group behind the attack on its system that has disrupted car dealerships across the U.S. since last week. Companies targeted in ransomware schemes are often reluctant to disclose information in the midst of negotiations with hackers on a payment.
“When you see an attack of this kind, it almost always ends up being a ransomware attack,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told the Associated Press. “We see it time and time again unfortunately, [particularly in] the last couple of years. No industry and no organization or software company is immune.”
“Doing everything manually”
The hack has left some car dealers unable to do business altogether, while others report using pen and paper, and even “sticky notes” to record transactions.
Tom Maoli, owner of Celebrity Motor Car Company, which operates five luxury car dealerships across New York and New Jersey, on Monday told CBS MoneyWatch his employees “are doing everything manually.”
“We are trying to keep our customers happy and the biggest issue is the banking side of things, which is completely backed up. We can’t fund deals,” he said.
Asbury Automotive Group, a Fortune 500 company operating more than 150 new car dealerships across the U.S., in a statement on Monday said the attack has “adversely impacted” its operations and has hindered its ability to do business. Its Koons Automotive dealerships in Maryland and Virginia, however, which don’t rely on CDK’s software, have been able to operate without interruption, the company said.
Ransomware attacks are on the rise. In 2023, more than 2,200 entities, including U.S. hospitals, schools and governments were directly impacted by ransomware, according to Emisoft, an anti-malware software company. Additionally, thousands of private sector companies were targeted. Some experts believe that the only way to stop such attacks is to ban the payment of ransoms, which Emisoft said would lead bad actors to “quickly pivot and move from high impact encryption-based attacks to other less disruptive forms of cybercrime.”
Earlier this year, the U.S. Department of State offered $10 million in exchange for the identities of leaders of the Hive ransomware gang, which since 2021 has been responsible for attacks on more than 1,500 institutions in over 80 countries, resulting in the theft of more than $100 million.
Megan Cerullo is a New York-based reporter for CBS MoneyWatch covering small business, workplace, health care, consumer spending and personal finance topics. She regularly appears on CBS News 24/7 to discuss her reporting.
Nissan suffered a data breach last November in a ransomware attack that exposed the Social Security numbers of thousands of former and current employees, the Japanese automaker said Wednesday.
Nissan’s U.S.-based subsidiary, Nissan North America, detailed the cyberattack in a May 15 letter to affected individuals. In the letter, Nissan North America said a bad actor attacked a company virtual private network and demanded payment. Nissan did not indicate whether it paid the ransom.
“[U]pon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain and successfully terminate the threat,” the car maker said in the letter, adding that “Nissan worked very closely with external cybersecurity professionals experienced in handling these types of complex security incidents.”
Nissan told employees about the incident during a town hall meeting in December 2023, a month after the attack. The company also told staffers that it was launching an investigation and would notify employees privately if their personal information had been compromised. Nissan said it’s providing free identity theft protection services to impacted individuals for two years.
Nissan North America also notified state officials across the U.S. of the attack, noting that data belonging to more than 53,000 current and former workers was compromised. But the company saidits investigation found that affected individuals did not have their financial information exposed.
Nissan North America “has no indication that any information has been misused or was the attack’s intended target,” the automaker said in its letter.
Ransomware attacks, in which cybercriminals disable a target’s computer systems or steal data and then demand payment to restore service, have become increasingly common. One cybersecurity expert said someone likely got a password or multi-factor authentication code from an existing Nissan employee, enabling the hacker to enter through the company’s VPN.
“It is unfortunate that the breach ended up involving personal information, however Nissan has done the right thing by continuing to investigate the incident and reporting the update,” Erich Kron, a cybersecurity awareness advocate at KnowBe4, told CBS MoneyWatch in an emailed statement. “In this case, targeting the VPN will often help bad actors avoid detection and bypass many of the organizational security controls that are in place.”
Khristopher J. Brooks is a reporter for CBS MoneyWatch. He previously worked as a reporter for the Omaha World-Herald, Newsday and the Florida Times-Union. His reporting primarily focuses on the U.S. housing market, the business of sports and bankruptcy.
For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV’s digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members, conducted between March 26 and April 3, found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says that it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.
Change Healthcare’s confirmation of its ransom payment now appears to show that much of that catastrophic fallout for the US healthcare system unfolded after it had already paid the hackers an exorbitant sum—a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company’s stolen data. As is often the case in ransomware attacks, AlphV’s disruption of its systems appears to have been so widespread that Change Healthcare’s recovery process has extended long after it obtained the decryption key designed to unlock its systems.
As ransomware payments go, $22 million wouldn’t be the most that a victim has forked over. But it’s close, says Brett Callow, a ransomware-focused security researcher who spoke to WIRED about the suspected payment in March. Only a few rare payments, such as the $40 million paid to hackers by CNA Financial in 2021, top that number. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.
That $22 million injection of funds into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracing firm Chainalysis found that in 2023, ransomware victims paid the hackers targeting them fully $1.1 billion, a new record. Change Healthcare’s payment may represent only a small drop in that bucket. But it both rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that healthcare companies are particularly profitable targets, given those companies are especially sensitive to both the high cost of those cyberattacks financially and the risks they pose to patients’ health.
Compounding Change Healthcare’s mess is an apparent double-cross within the ransomware underground: AlphV by all appearances faked its own law enforcement takedown after receiving Change Healthcare’s payment in an attempt to avoid sharing it with its so-called affiliates, the hackers who partner with the group to penetrate victims on its behalf. The second ransomware group threatening ChangeHealthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to be paid for their work.
That’s created a situation where Change Healthcare’s payment provides little assurance that its compromised data won’t still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1’s DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”
All of that means Change Healthcare still has little assurance that it’s avoided an even worse scenario than it’s yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”
Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans’ sensitive medical and financial records stolen from the health care giant.
“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.
The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.
The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.
Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub’s claims about possessing the company’s stolen data. Change Healthcare did not immediately respond to a request for comment about the group’s alleged sale of its data.
The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare’s role as a critical intermediary between insurers and health care providers, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.
Among the sample records that RansomHub posted are a list of open claims handled by the company’s EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members’ health care.
RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records. It specified that it was selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.
Change Healthcare’s “processing of sensitive data for all of these companies is just something unbelievable,” RansomHub said in its announcement.
Most firms whose data RansomHub claims to possess did not immediately respond to WIRED’s request for comment.
Mike DeAngelis, the executive director of corporate communications for CVS Health says the company is “aware of unsubstantiated claims from threat actors that confidential data, including personal information of patients and members belonging to multiple organizations, was accessed as part of Change Healthcare’s cyber security incident.”
“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with more information as appropriate,” DeAngelis adds, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”
Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about putting Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”
Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.
At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.
A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.
Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess.
Jon DiMaggio, a former intelligence community analyst and current cybersecurity strategist, has used fake personas to communicate with ransomware gangs on the dark web, finding out who’s behind them and how they work.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
Cybersecurity investigators worry ransomware attacks may worsen as young, native-English speaking hackers in the U.S., U.K. and Canada team up with Russian hackers.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
In the past year — hospitals, pharmacies, tech companies, Las Vegas’ biggest hotels and casinos have been paralyzed by “ransomware” attacks, in which hackers break into a corporate network, encrypt, or lock up critical files and hold them hostage until a ransom is paid. It’s a crime that has been growing more costly and disruptive every year. Now cybersecurity researchers fear it’s about to get worse, with the emergence of an audacious group of young criminal hackers from the U.S., U.K. and Canada the FBI calls Scattered Spider. More troubling, they have teamed up with Russia’s most notorious ransomware gang.
This past September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts – costing the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas strip: MGM Grand, Aria, Mandalay Bay, New York-New York, the Bellagio.
Anthony Curtis is a Las Vegas fixture. He’s so good at counting cards, he’s been banned from card games here. He now publishes the “Las Vegas Advisor,” a monthly newsletter on all things Vegas.
Anthony Curtis: Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect.
Anthony Curtis
60 Minutes
Across the Vegas strip… thousands of slot machines suddenly stopped paying out.
Anthony Curtis: So all of a sudden now people are goin’, “How do I get my money? What’s wrong?” And the people were sitting there waiting and couldn’t get paid.
Bill Whitaker: Were they angry?
Anthony Curtis: They were getting angry, yeah. And this was just the tip of the iceberg.
Elevators were malfunctioning… parking gates froze… digital door keys wouldn’t work. As computers went down, reservations locked up and lines backed up at the front desks.
Anthony Curtis: Anything that required technology was not working.
Bill Whitaker: Sounds like chaos.
Anthony Curtis: Nobody knew what to do and including the employees. The employees just had to, you know, beg forgiveness and patience.
Bill Hornbuckle (at October conference): Look, it’s corporate terrorism at its finest.
The company declined our interview request, but at a conference a month after the hack, MGM’s CEO admitted the disruptions were devastating.
Bill Hornbuckle (at October conference): For the next four or five days with 36,000 hotel rooms and some regional properties we were completely in the dark.
The hackers demanded $30 million to unlock MGM’s data. The company refused. But they still paid a price – $100 million in lost revenue and millions more to rebuild their servers.
So how did the intruders get in? Through a technique of deception and manipulation called social engineering. First hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker, impersonating the employee, called the MGM Tech Help Desk and convinced them to reset his password.
With that, the hacker was inside MGM’s computers and unleashed the destructive malware. Anthony Curtis says it was the cybercriminal’s version of an Ocean’s Eleven heist.
Anthony Curtis: They’re doing it the old-fashioned way. I mean, they’re doin’ it the new way but with the old-fashioned goal. They wanna get the money.
Bill Whitaker: What do you make of that?
Anthony Curtis: I don’t wanna be too glowing like I– like I like these guys ’cause they’re– they’re just crooks, right? But these hackers were able to turn the tables. The casinos have their– they have their systems. They have their protections. They have their experts. They have their security. These guys are better.
Later, MGM’s biggest competitor, Caesars, admitted it also suffered a social engineering attack around the same time, suspected by the same group. But Caesars paid a ransom, reportedly $15 million, and suffered no disruptions.
Bryan Vorndran: From an FBI perspective, our position is we recommend a ransom not be paid. But we understand it’s a business decision during a time of crisis.
Bryan Vorndran
60 Minutes
Bryan Vorndran is head of the FBI’s Cyber Division. He told us ransomware attacks have grown increasingly brazen.
Bryan Vorndran: Any way you look at the numbers it’s a problem for the global economy, and for the U.S. economy, and for the security of the United States. There’s estimates that global losses exceed $1 billion U.S. per year.
Bill Whitaker: Have you made any arrests in the Las Vegas cases?
Bryan Vorndran: We’re not gonna talk about specific cases or specific companies.
But he did point us toward the prime suspect.
Bryan Vorndran: When we talk about the actors behind some of the more recent ransomware attacks, the name that’s generally raised is Scattered Spider. And that’s a criminal group that we have a lot of attention on because of the havoc they’re wreaking across the United States.
Scattered Spider is what the FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks – and dozens more. Their specialty is social engineering.
Allison Nixon: Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.
Allison Nixon is chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals. She says Scattered Spider is just one of many illicit hacking groups — all part of a sprawling collection of online criminals calling themselves “the Community, “or “the Com.”
Allison Nixon: The Com is a subculture. It is specifically an English-speaking youth subculture that has arisen in the past few years. It’s very new, but it’s surprisingly disruptive.
Members of the Com have hacked into companies like Microsoft, Nvidia, and Electronic Arts.
Bill Whitaker: How many people are involved?
Allison Nixon: Years ago, it was maybe a few hundred people. But since 2018 the population has exploded because of the money coming into these groups. And there’s thousands of people involved at this point.
Bill Whitaker: How are they connected?
Allison Nixon: They connect over the internet. Social spaces where people hang out. Gaming servers. It’s almost analogous to like maybe the back alley where the bad kids hang out but on the internet.
Allison Nixon
60 Minutes
Bill Whitaker: How old are we talking about?
Allison Nixon: Males under the age of 25.
Bill Whitaker: Under 25 down to how young?
Allison Nixon: Like 13, 14.
Bill Whitaker: Involved in pulling off major crimes?
Allison Nixon: Yeah.
Members communicate and post pictures on messaging apps like Telegram – their chatter, a toxic stew of racism, sexism… boasting about the money they’ve scammed, and how menacing they are.
Allison Nixon: There are these toxic online spaces where young people can socialize and mingle with criminals and gang members. And the end result of all of this is this online subculture has formed that glorifies crime, that measures one’s personal worth by how much harm they can cause the world.
Scattered Spider is one of the most sophisticated offshoots of “the Com.” Their criminal exploits caught the attention of cybersecurity companies… and other hackers… including the most notorious Russian ransomware gang, BlackCat. They saw the young native English-speaking Westerners as a force multiplier. Both claimed credit for the MGM attack.
Allison Nixon: Historically speaking, Russian cyber criminals did not like working with Western cyber criminals. There was not only a language barrier, but also they kinda looked down on them and viewed them as unprofessional.
The Russian and Western hackers met in the shadowy corners of the dark web and now are powerful partners in crime. Scattered Spider uses its English and social engineering skills to break into Western companies’ networks. BlackCat provides its experience and its malware – used in some of the most shocking ransomware attacks.
…. including the 2021 attack on Colonial Pipeline, which caused gas shortages up and down the East Coast… and this year’s attack on UnitedHealth Group, which disrupted pharmacies nationwide. The State Department is offering a $15 million reward for information on Russia’s BlackCat.
Jon DiMaggio, a former analyst at the National Security Agency, now investigates ransomware as chief security strategist for the cybersecurity company Analyst1.
Jon DiMaggio: So there’s a term. It’s called “ransomware as a service,” that’s been given to the structure and the format of these gangs.
Jon DiMaggio with Bill Whitaker
60 Minutes
DiMaggio says “ransomware as a service” has taken the crime to a new level. The long-established Russian gangs, like BlackCat, offer their services – malware, experience negotiating ransoms and laundering money – to what they call “affiliates,” like Scattered Spider.
Jon DiMaggio: So in return, when a victim pays an extortion, the profit that comes from it is now shared amongst those criminals.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms… 24-hour service desks … even human resources to hire software developers.
Jon DiMaggio: There are people that specialize in developing malware and ransomware, and they’re in very high demand.
Bill Whitaker: You said you’ve gotten to know some of these people.
Jon DiMaggio: Yes.
Bill Whitaker: Are they mostly young men?
Jon DiMaggio: The leadership are– are, you know, people in their 40s, late 30s. They’re people who’ve got experience. They’re people that have a financial background.
DiMaggio says the Russian government provides a safe haven for ransomware gangs.
Jon DiMaggio: As long as they don’t target, you know, an organization that falls within Russia or the former Soviet state, they don’t get prosecuted. It’s not considered a crime.
Bill Whitaker: It’s not considered a crime to attack American businesses?
Jon DiMaggio: It’s crazy, right? That’s– that’s how it works though.
Bill Whitaker: So it’s like they operate with impunity.
Jon DiMaggio: 100%. That’s the whole reason why this is such a popular crime.
Russian ransomware has become such a threat…the elite cyber warriors at the National Security Agency have joined the fight.
Before retiring last month, Rob Joyce was NSA’s director of cybersecurity. He told us the Colonial Pipeline attack was a wake-up call.
Rob Joyce
60 Minutes
Rob Joyce: It caused us to step back and decide that we had to put more resources into this foreign threat. So one of the things NSA has, we have hackers. And it really, at times, takes a hacker to defeat a hacker. That’s the value NSA can bring is, we can identify people, specific people involved in some of these activities.
The NSA helped identify the Russian hacker responsible for the Colonial Pipeline attack. And in January 2022 – after months of negotiations – Russia arrested him and other accomplices. But five weeks later – it all came undone.
Rob Joyce: Following the Ukraine invasion, those people were let outta jail.
Bill Whitaker: So they’re back in business?
Rob Joyce: Yes, sir.
And now, they’ve teamed up with the young native English speakers of Scattered Spider. The FBI’s Bryan Vorndran calls it an evolution of cybercrime.
Bryan Vorndran: In the case of Scattered Spider, is it powerful that they are with BlackCat? Of course. I think that it’s important to know that we are against a very capable set of adversaries, they’re very good at their work. We’re also very good at our work.
In January, the Bureau arrested a 19-year-old from Florida, Noah Urban, charged with stealing cryptocurrency. He’s pleaded not guilty. Cyber investigators have tied him to Scattered Spider, but so far not to the casino heists. The Scattered Spider hackers who did pull off the attack are still online – hiding in plain sight – in unholy alliance with Russians. Allison Nixon calls Las Vegas a harbinger.
Allison Nixon: The level of cybercrime has risen to the point where it feels overwhelming. And every year it gets worse. And it feels like as defenders we’re– it’s almost like we’re winning every battle and losing the war.
Produced by Graham Messick. Associate producer, Jack Weingart. Field associate producer, Eliza Costas. Broadcast associate, Mariah B. Campbell. Edited by Matthew Lev.
Bill Whitaker is an award-winning journalist and 60 Minutes correspondent who has covered major news stories, domestically and across the globe, for more than four decades with CBS News.
For months, Change Healthcare has faced an immensely messy ransomware debacle that has left hundreds of pharmacies and medical practices across the United States unable to process claims. Now, thanks to an apparent dispute within the ransomware criminal ecosystem, it may have just become far messier still.
In March, the ransomware group AlphV, which had claimed credit for encrypting Change Healthcare’s network and threatened to leak reams of the company’s sensitive health care data, received a $22 million payment—evidence, publicly captured on Bitcoin’s blockchain, that Change Healthcare had very likely caved to its tormentors’ ransom demand, though the company has yet to confirm that it paid. But in a new definition of a worst-case ransomware, a different ransomware group claims to be holding Change Healthcare’s stolen data and is demanding a payment of their own.
Since Monday, RansomHub, a relatively new ransomware group, has posted to its dark-web site that it has 4 terabytes of Change Healthcare’s stolen data, which it threatened to sell to the “highest bidder” if Change Healthcare didn’t pay an unspecified ransom. RansomHub tells WIRED it is not affiliated with AlphV and “can’t say” how much it’s demanding as a ransom payment.
RansomHub initially declined to publish or provide WIRED any sample data from that stolen trove to prove its claim. But on Friday, a representative for the group sent WIRED several screenshots of what appeared to be patient records and a data-sharing contract for United Healthcare, which owns Change Healthcare, and Emdeon, which acquired Change Healthcare in 2014 and later took its name.
While WIRED could not fully confirm RansomHub’s claims, the samples suggest that this second extortion attempt against Change Healthcare may be more than an empty threat. “For anyone doubting that we have the data, and to anyone speculating the criticality and the sensitivity of the data, the images should be enough to show the magnitude and importance of the situation and clear the unrealistic and childish theories,” the RansomHub contact tells WIRED in an email.
“We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data,” Change Healthcare said in an email to WIRED. “Our investigation remains active and ongoing. There is no evidence of any new cyber incident at Change Healthcare.”
Brett Callow, a ransomware analyst with security firm Emsisoft, says he believes AlphV did not originally publish any data from the incident, and the origin of RansomHub’s data is unclear. “I obviously don’t know whether the data is real—it could have been pulled from elsewhere—but nor do I see anything that indicates it may not be authentic,” he says of the data shared by RansomHub.
Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1, says he believes RansomHub is “telling the truth and does have Change HealthCare’s data,” after reviewing the information sent to WIRED. While RansomHub is a new ransomware threat actor, DiMaggio says, they are quickly “gaining momentum.”
If RansomHub’s claims are real, it will mean that Change Healthcare’s already catastrophic ransomware ordeal has become a kind of cautionary tale about the dangers of trusting ransomware groups to follow through on their promises, even after a ransom is paid. In March, someone who goes by the name “notchy” posted to a Russian cybercriminal forum that AlphV had pocketed that $22 million payment and disappeared without sharing a commission with the “affiliate” hackers who typically partner with ransomware groups and often penetrate victims’ networks on their behalf.
Tarrant Appraisal District offers update on who’s impacted by ransomware attack
Amanda McCoy
amccoy@star-telegram.com
An investigation by the Tarrant Appraisal District determined sensitive information for 300 or fewer people has been effected by a ransomware attack, the agency said in a statement Wednesday.
“It has been determined that there was unauthorized access to our network, which has resulted in the potential exposure of a small amount of personal information,” the statement said.
The statement also said TAD will notify those impacted “as soon as possible.”
On March 25, the district’s legal council announced at an emergency meeting that the hackers were asking for $700,000.
Appraisal district board chair Vince Puente told the Fort Worth Report that the district is in communication with Medusa.
Medusa, the group suspected of the attack, has previously used extortion and the threat of selling sensitive information on the dark web as a tactic to negotiate, according to the U.S. Cybersecurity & Infrastructure Security Agency.
The appraisal district’s chief appraiser, Joe Don Bobbitt told the Star-Telegram last week that a majority of the data the district keeps on file is “sales data” and property details such as square footage, tax deeds or the year a property was sold — almost all of it public information.
A spokesperson for the district said Social Security numbers are not among data collected by the district and only on rare occasion are driver’s licenses kept on file.
In the statement put out Wednesday, TAD offered information on how to freeze a credit card or report fraud.
Many function’s of the appraisal distict’s website are still offline.
The district sets property appraisals and administers exemptions for tax purposes.
The Office of the Colorado State Public Defender has acknowledged personal data may have been stolen during a ransomware attack that crippled the statewide agency in early February — but won’t say much else about the ongoing effort to restore its systems after the hack.
Files “were copied without permission” during the cyberattack, which was discovered on Feb. 9, and those files may have included names, Social Security numbers, driver’s license numbers, medical information and health insurance information, the agency said in a statement Friday.
Officials from the public defender’s office are still investigating whose personal data may have been stolen, and whether the personal data of attorneys or their clients was compromised, they said. A statement on the agency’s website urges “individuals” to remain vigilant against identity theft and fraud.
It’s been more than a month since public defenders across the state were locked out of their computers and files in the ransomware attack and hundreds of court hearings were delayed over the next week because public defenders couldn’t do their jobs.
Officials this week refused to answer questions from The Denver Post about what particular parts of the agency’s systems remain inoperable. In a ransomware attack, hackers use malware to hold an organization’s data hostage then demand a payment in cryptocurrency in order for organizations to regain access to that data.
The public defender’s office also would not disclose the amount of ransom demanded or whether a ransom was paid. A statement on the agency’s website says the office has “made progress in returning to full operations.”
Heavily redacted emails and text messages released to The Post by the Governor’s Office of Information Technology this week in response to an open records request mention the cyberattack recovery law firm Mullen Coughlin. Chief Deputy Public Defender Zak Brown would not confirm whether the public defender’s office is working with the firm.
“We have provided all the information we are able to at this time,” he said in an email.
A message left with the Pennsylvania-based law firm was not returned Wednesday.
The Governor’s Office of Information Technology redacted more than half of the text messages exchanged between members of its office and Colorado Public Defender Megan Ring between Feb. 9 and 23 on the grounds the messages were exempt from the state’s open records law. The office cited exemptions around attorney-client privilege, deliberative process, security arrangements and law enforcement investigations.
“OIT withholds these documents on the grounds that their release would result in substantial injury to the public because it would limit OIT’s ability to engage in honest and frank discussion of cybersecurity issues and provide uninhibited opinions to state agencies, thereby impeding OIT in the performance of its duties,” Chief Information Security Officer Jill Fraser wrote in an affidavit provided with the open records materials.
