The ALPHV/Blackcat ransomware group’s ransomware-as-a-service (RaaS) operation appears to have ceased, suggesting there could be an impending rebrand. The group states the servers are shut down and its ransomware negotiation websites are offline. A group’s spokesperson published a message: “Everything is off, we decide.” Afterward, a status message of “GG” was added and ALPHV/Blackcat said that law enforcement shut down its operation and it would be selling its source code.
Security specialists don’t believe it and point out there is obvious evidence that this is an exit strategy, where the group won’t pay affiliates their part of the ransom payments and retains all the money. The ALPHV/Blackcat ransomware-as-a-service operation uses affiliates to carry out attacks and pays them a percentage of the ransoms they make. Affiliates usually get about 70% of any ransoms they make and the ransomware gang takes the remainder. Right after law enforcement disrupted the Blackcat operation in December 2023, Blackcat has been attempting to get new affiliates and has granted a few affiliate plus status, which means they receive a greater cut of the ransom payment. An escape trick is the sensible solution to end the operation and there will probably be less fallout, other than making it harder to hire affiliates if the group rebrands.
It is not surprising for a ransomware gang to stop operations and rebrand following a major attack. ALPHV/Blackcat is thought to be BlackMatter ransomware operation rebranded. The BlackMatter ransomware group was a rebrand of DarkSide. This ransomware group was behind the Colonial Pipeline attack in 2021 that disrupted fuel supplies on the Eastern Seaboard of the United States. Shortly after the attack, the gang lost access to its servers, which they believed was because of their hosting provider. They additionally stated that money was taken from their accounts and indicated they were seized by the authorities. BlackMatter ransomware was only around for approximately 4 months before its shut down. The group was rebranded as ALPHV/Blackcat in February 2022.
On March 3, 2024, an affiliate known as Notchy shared a message on Ramp Forum stating they conducted a cyberattack on HIPAA-covered entity Change Healthcare. Threat researcher at Recorded Future Dmitry Smilyanets found the message. Notchy said they had been an affiliate of the ALPHV/Blackcat operation for a long time, enjoyed “affiliate plus” status, and were cheated out of their part of the $22 million ransom money. They stated that Optum paid a 350 Bitcoin ransom to have the stolen information erased and to get the decryption key. Notchy distributed the payment address which indicates a $22 million payment was sent to the wallet address and the cash has since been taken. The wallet is linked with ALPHV/Blackcat since it acquired payments for prior ransomware attacks that have been credited to the group.
Notchy reported that ALPHV/Blackcat terminated their account right after the attack and is slowing down payment before transferring the money to Blackcat accounts. Notchy explained that Optum had given money to have the records removed but they have a backup of 6TB of files stolen in the attack. Notchy professed the data contains sensitive information from Tricare, Medicare, CVS-CareMark, Loomis, MetLife, Davis Vision, Health Net, Teachers Health Trust, tens of insurance firms, and others. The post ends with a caution to other affiliates that they must avoid working with ALPHV/Blackcat. It is not clear what Notchy is planning to do with the stolen data and whether he will try to extort Change Healthcare or will try to sell or profit from the information.
Emsisoft CTO Fabian Wosar believes the ransomware group planned this exit strategy. He said it is clear that Blackcat has reused the December shutdown notice. He likewise reached out to contacts at Europol and the NCA who said they were not involved in any recent takedown. Presently, Change Healthcare and UnitedHealth have not stated that they paid the ransom payment but released a statement that they are now centered on the investigation.
