Single Citrix Compromised Credential Results in $22,000,000 Ransom to Change Healthcare

In February 2024 Change Healthcare was hit by a BlackCat ransomware attack that began when an employee’s Citrix credentials were stolen via an infostealer after downloading a file from Mega.nz; the portal lacked MFA, attackers moved laterally, exfiltrated data, and deployed ransomware, causing major platform disruption and an estimated $872M impact plus a $22M ransom payment.