The Alphv/BlackCat gang on Monday announced that it’s shutting down the ransomware operation and that it has already found a buyer for the malware’s source code.
The announcement comes roughly three months after the ransomware-as-a-service (RaaS) survived a law enforcement takedown effort that forced the gang to move to new infrastructure.
According to cybersecurity experts, BlackCat’s shutdown is likely an exit scam, prompted by the gang leaders’ unwillingness to share a newly received $22 million ransom payment with their affiliates.
The payment is believed to have come from Change Healthcare, which confirmed last week that the cyberattack that disrupted its network on February 21 was perpetrated by BlackCat.
When it comes to RaaS operations, affiliates are typically responsible for the intrusions into victim networks, and receive a percentage of the ransom for their effort, as a fee.
Following the law enforcement takedown, BlackCat announced that it was boosting the affiliate fees to 90% of the received payments, as an incentive to get their operation back on track fast.
However, after the $22 million transaction appeared in a cryptocurrency address associated with BlackCat, an affiliate took it to a Russian-language cybercrime forum to complain that the RaaS operators had broken their promise and refused to pay the fee.
The affiliate claims that the payment came from Change Healthcare, that terabytes of data stolen from the healthcare transaction processor firm are in the affiliate’s possession, and BlackCat scammed them, closing their account after the ransom was paid out.
Shortly after, a BlackCat representative responded saying that the RaaS operation had been shut down, blaming law enforcement for it. The leak site that the group set up after the December 2023 disruption currently displays an alleged takedown notice.
However, Emsisoft researcher Fabian Wosar says that the site was not seized and that the notice is a coverup, based on inconsistencies in the source code of the seizure notice and in law enforcement declining involvement.
The issue that arises is that, if Change Healthcare indeed paid the $22 million ransom and the BlackCat operators pulled an exit scam, the disgruntled affiliate may leak the allegedly stolen data, sell it to other cybercriminals, or demand that another ransom be paid.
This, cybersecurity experts say, once again underlines why organizations should not submit to these extortion attempts but invest in the tools needed to keep their data and the data of their customers safe.
“This demonstrates the dangers of dealing with criminals, even for other criminals. The closure is also a lesson in the fact that sometimes, data will not be recoverable after a ransomware attack, so it’s important that organizations have good backups,” KnowBe4 security awareness advocate Erich Kron says.
Kron also points out that victims that negotiated with affiliates may never recover their data if the developers are shutting down the infrastructure, unless the sale of source code will “turn up vulnerabilities that will later allow for the decryption of data, but that is a long shot”.
According to Acumen COO and co-founder Kevin Robertson, who expresses his doubt that BlackCat is retiring from the ransomware game, the gang may be trying to squeeze more money from Change Healthcare.
“Now, with the affiliate claiming they’ve got the data but not the cash, I wouldn’t be surprised if they’re gearing up to ask for more. With this kind of money at stake, it doesn’t sound too far-fetched. When it comes to moving big sums of money around, there’s always a bit of risk involved. Throw ransomware groups into the mix, and you’re upping the ante significantly,” Robertson said in an emailed comment.
Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders
Related: LoanDepot Ransomware Attack Exposed 16.9 Million Individuals
Related: Cyber Insights 2024: Ransomware
