The ALPHV/Blackcat ransomware gang’s ransomware-as-a-service (RaaS) operation seems to have closed down, implying there might be a forthcoming rebrand. The group says the servers are de-activated, its ransomware negotiation web pages are down, and the group’s representative published the message, “Everything is off, we decide” and then, a “GG” status message was posted. ALPHV/Blackcat said that law enforcement closed its operation and that it would be offering its source code.
Security professionals don’t agree and state there is apparent proof that this is an escape strategy, where the group will not give affiliates their slice of the ransom income and keep all the cash. The ALPHV/Blackcat ransomware-as-a-service operation employs affiliates to perform attacks and pays them a portion of the ransoms they crank out. Affiliates normally collect approximately 70% of any ransoms they produce and the ransomware group keeps the remaining. Soon after law enforcement interrupted the Blackcat operation in December 2023, Blackcat has been seeking to get new affiliates and has given several affiliate-plus statuses, meaning they get a much larger portion of the ransom payment. An exit trick is the practical means to finish up the operation and there will possibly be little effects, besides making it more challenging to hire affiliates when the gang rebrands.
It’s not uncommon for a ransomware group to close operations and rebrand following a big attack. ALPHV/Blackcat is considered a rebrand of the BlackMatter ransomware group. The BlackMatter ransomware group was DarkSide rebranded. DarkSide was the gang responsible for the Colonial Pipeline attack in 2021 that damaged energy supplies on the Eastern Seaboard of the U.S. Right after the attack, the group could not access its servers, which they believed was done by their hosting firm. They likewise stated that funds were moved from their accounts and mentioned they were taken by the authorities. BlackMatter ransomware was just active for about 4 months prior to its de-activation. The gang reappeared as ALPHV/Blackcat in February 2022.
On March 3, 2024, an affiliate using the nickname Notchy shared a message on Ramp Forum saying they were behind the ransomware attack on Change Healthcare. Threat researcher at Recorded Future Dmitry Smilyanets discovered the write-up. Notchy said they had been an affiliate of the ALPHV/Blackcat operation for a long period, had “affiliate plus” status, and were scammed out of their cut of the $22 million ransom money. They stated that Optum paid the 350 Bitcoin ransom payment to get the group to delete the stolen information and to acquire the decryption key avoiding HIPAA violation. Notchy provided the payment address which reveals a $22 million payment was sent to the wallet address and the money has since been cashed out. The wallet is associated with ALPHV/Blackcat because it got payments for past ransomware attacks that were linked to the group.
Notchy said ALPHV/Blackcat revoked their account right after the attack and is stalling payment before moving the cash to Blackcat accounts. Notchy stated that Optum had given ransom payment to have the files erased however they have a clone of 6TB of files stolen during the attack. Notchy professed the data consists of sensitive data from Tricare, Cvs-caremark Medicare, Davis Vision Loomis, Health Net, Teachers Health Trust Metlife, tens of insurance organizations, and others. The post closes with an alert to other affiliates that they have to discontinue dealing with ALPHV/Blackcat. It is uncertain what Notchy is thinking about the stolen data and if he is going to make an effort to extort Change Healthcare or will attempt to sell or earn money from the information.
Fabian Wosar, CTO of Emsisoft, thinks this is an escape plan. Immediately after looking at the source code of the authority’s shutdown note, he mentioned it is apparent that Blackcat has remade it from the December takedown announcement. He additionally went to colleagues at the NCA and Europol who said they weren’t engaged in any recent shutdown. At the moment, neither Change Healthcare nor its parent company UnitedHealth have affirmed that they gave the ransom payment and gave a statement that they are presently concentrating on the investigation.
