What after BlackCat Ransomware Group Implodes After Alleged $22M Payment by Change Healthcare, Sparking Exit Scam Speculation ??????
The BlackCat ransomware group, also known as ALPHV, appears to be disintegrating following an alleged $22 million payment made by Change Healthcare, a prominent U.S. healthcare company. Change Healthcare made the payment in an attempt to regain control of its systems after suffering a cyberattack that disrupted prescription drug services nationwide for several weeks. However, the individual who claims to have provided BlackCat with access to Change Healthcare's network alleges that the group cheated them out of their share of the ransom and still possesses the sensitive data that Change Healthcare paid them to destroy. This disclosure from the affiliate has seemingly prompted BlackCat to completely halt its operations.
In February, Change Healthcare experienced a cyber intrusion that led to the shutdown of crucial healthcare services as the company's systems were taken offline. It was later revealed that BlackCat was responsible for the attack, which caused significant disruptions in the delivery of prescription drugs to hospitals and pharmacies across the country for nearly two weeks.
On March 1, a cryptocurrency address linked to BlackCat received a payment of approximately $22 million. Shortly after, a BlackCat affiliate posted a complaint on the Russian-language ransomware forum Ramp, stating that Change Healthcare had paid a $22 million ransom for a decryption key and to prevent the publication of four terabytes of stolen data. However, the affiliate claimed that BlackCat/ALPHV received the payment but failed to compensate them accordingly. BlackCat operates as a "ransomware-as-service" collective, relying on freelancers or affiliates to spread their ransomware to new networks. These affiliates typically earn commissions ranging from 60 to 90 percent of the ransom amount paid.
Change Healthcare has neither confirmed nor denied making the payment and has emphasized its focus on the investigation and restoration of services when responding to media inquiries.
If Change Healthcare did indeed make the payment to prevent the release of their data, it appears that their strategy has backfired. The affiliate "Notchy" mentioned that the stolen data included sensitive information from Medicare and several major insurance and pharmacy networks.
Interestingly, the BlackCat ransomware group's demise seems to have been accelerated by the complaint filed by Notchy. The group had already been infiltrated by the FBI and international law enforcement agencies in late December 2023, resulting in the seizure of their website and the release of a decryption tool to aid victims in recovering their systems. In response, BlackCat attempted to regroup by increasing affiliate commissions to as high as 90 percent. They also announced the removal of any restrictions or discouragement against targeting hospitals and healthcare providers.
However, instead of addressing Notchy's concerns and offering compensation, a representative for BlackCat announced the shutdown of the group and claimed to have already found a buyer for their ransomware source code.
The BlackCat darknet website now displays a seizure notice from the FBI, although some researchers have noted that this image appears to have been copied from the notice left during the FBI's raid in December. The FBI has not provided any comments regarding this matter.
Fabian Wosar, a ransomware researcher at the security firm Emsisoft, believes that BlackCat's leaders are attempting an "exit scam" by withholding ransomware payment commissions from their affiliates and shutting down the service.
Dmitry Smilyanets, a researcher at the security firm Recorded Future, warns that the affiliate still possesses all the stolen data and could potentially demand additional payments or leak the information independently.
The demise of BlackCat closely follows the implosion of another major ransomware group, LockBit, which had extorted over $120 million from more than 2,000 victims worldwide. LockBit's website was seized by the FBI and the U.K.'s National Crime Agency in February 2024, leading to the loss of the group's credibility.
领英推荐
These recent events highlight the risks associated with paying cybercriminals to delete stolen data. It is becoming increasingly clear that trusting criminals and expecting them to uphold their end of the bargain is an unreliable strategy.
The BlackCat darknet website now displays a seizure notice from the FBI, although some researchers have noted that this image appears to have been copied from the notice left during the FBI's raid in December. The FBI has not provided any comments regarding this matter.
Fabian Wosar, a ransomware researcher at the security firm Emsisoft, believes that BlackCat's leaders are attempting an "exit scam" by withholding ransomware payment commissions from their affiliates and shutting down the service.
Dmitry Smilyanets, a researcher at the security firm Recorded Future, warns that the affiliate still possesses all the stolen data and could potentially demand additional payments or leak the information independently.
The demise of BlackCat closely follows the implosion of another major ransomware group, LockBit, which had extorted over $120 million from more than 2,000 victims worldwide. LockBit's website was seized by the FBI and the U.K.'s National Crime Agency in February 2024, leading to the loss of the group's credibility.
These recent events highlight the risks associated with paying cybercriminals to delete stolen data. It is becoming increasingly clear that trusting criminals and expecting them to uphold their end of the bargain is an unreliable strategy.
The self proclaimed, most influential person in payments. Except for Jack Dorsey or those two bros from that other company & definitely not Satoshi Nakamoto, but after all those guys it's me.
11 个月Spot on! Cybersecurity is everyone's responsibility.