Connect with us

Hi, what are you looking for?



BlackCat Ransomware Gang Suspected of Pulling Exit Scam

The BlackCat ransomware gang announces shutdown as an affiliate accuses theft of $22 million ransom payment.

The Alphv/BlackCat gang on Monday announced that it’s shutting down the ransomware operation and that it has already found a buyer for the malware’s source code.

The announcement comes roughly three months after the ransomware-as-a-service (RaaS) survived a law enforcement takedown effort that forced the gang to move to new infrastructure.

According to cybersecurity experts, BlackCat’s shutdown is likely an exit scam, prompted by the gang leaders’ unwillingness to share a newly received $22 million ransom payment with their affiliates.

The payment is believed to have come from Change Healthcare, which confirmed last week that the cyberattack that disrupted its network on February 21 was perpetrated by BlackCat.

When it comes to RaaS operations, affiliates are typically responsible for the intrusions into victim networks, and receive a percentage of the ransom for their effort, as a fee.

Following the law enforcement takedown, BlackCat announced that it was boosting the affiliate fees to 90% of the received payments, as an incentive to get their operation back on track fast.

However, after the $22 million transaction appeared in a cryptocurrency address associated with BlackCat, an affiliate took it to a Russian-language cybercrime forum to complain that the RaaS operators had broken their promise and refused to pay the fee.

The affiliate claims that the payment came from Change Healthcare, that terabytes of data stolen from the healthcare transaction processor firm are in the affiliate’s possession, and BlackCat scammed them, closing their account after the ransom was paid out.

Advertisement. Scroll to continue reading.

Shortly after, a BlackCat representative responded saying that the RaaS operation had been shut down, blaming law enforcement for it. The leak site that the group set up after the December 2023 disruption currently displays an alleged takedown notice.

However, Emsisoft researcher Fabian Wosar says that the site was not seized and that the notice is a coverup, based on inconsistencies in the source code of the seizure notice and in law enforcement declining involvement.

The issue that arises is that, if Change Healthcare indeed paid the $22 million ransom and the BlackCat operators pulled an exit scam, the disgruntled affiliate may leak the allegedly stolen data, sell it to other cybercriminals, or demand that another ransom be paid.

This, cybersecurity experts say, once again underlines why organizations should not submit to these extortion attempts but invest in the tools needed to keep their data and the data of their customers safe.

“This demonstrates the dangers of dealing with criminals, even for other criminals. The closure is also a lesson in the fact that sometimes, data will not be recoverable after a ransomware attack, so it’s important that organizations have good backups,” KnowBe4 security awareness advocate Erich Kron says.

Kron also points out that victims that negotiated with affiliates may never recover their data if the developers are shutting down the infrastructure, unless the sale of source code will “turn up vulnerabilities that will later allow for the decryption of data, but that is a long shot”.

According to Acumen COO and co-founder Kevin Robertson, who expresses his doubt that BlackCat is retiring from the ransomware game, the gang may be trying to squeeze more money from Change Healthcare.

“Now, with the affiliate claiming they’ve got the data but not the cash, I wouldn’t be surprised if they’re gearing up to ask for more. With this kind of money at stake, it doesn’t sound too far-fetched. When it comes to moving big sums of money around, there’s always a bit of risk involved. Throw ransomware groups into the mix, and you’re upping the ante significantly,” Robertson said in an emailed comment.

Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders

Related: LoanDepot Ransomware Attack Exposed 16.9 Million Individuals

Related: Cyber Insights 2024: Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.