The US Department of State on Wednesday announced a reward of up to $10 million for information on Alphv/BlackCat ransomware operators and affiliates.
Active since 2021, the ransomware group has made over 1,000 victims worldwide, including MGM Resorts, NCR, Reddit, Swissport, and Western Digital.
The group is also responsible for the disruptive attack on Change Healthcare in February, which impacted over 100 applications at the healthcare transactions processor, preventing over 7,000 pharmacies and hospitals from processing prescriptions.
In December 2023, US law enforcement took down BlackCat’s infrastructure after gaining access to panels the group was using for communication, and announced in February that it was offering a $10 million reward for information on the cybergang’s key members.
In response to the takedown, the group announced it was lifting all restrictions imposed on affiliates, allowing them to target any type of organization. Change Healthcare is the first major organization in the healthcare sector to have been compromised by BlackCat.
On Wednesday, the US reiterated its reward offer, noting that the group conducted “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”, and that it was also looking for information on affiliates.
“The Alphv BlackCat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide. Alphv BlackCat operated as a ransomware-as-a-service business model in which the group’s members developed and maintained the ransomware variant and then recruited affiliates to deploy the ransomware. Alphv BlackCat and its affiliates then shared any paid ransoms,” the Treasury Department says.
“We encourage anyone with information on Alphv BlackCat actors, their affiliates, activities, or links to a foreign government to contact Rewards for Justice via the Tor-based tips-reporting channel [requires the Tor browser],” the announcement reads.
While the announcement does not mention Change Healthcare, the mentioning of BlackCat affiliates hints that the offer was renewed as a result of this incident.
The attack was perpetrated by an affiliate who claimed to have exfiltrated terabytes of data from the organization. While Change Healthcare reportedly paid a $22 million ransom to recover the data, the BlackCat operators pulled an exit scam, refusing to pay the typical share of the proceeds, prompting the affiliate to make new threats regarding the leak of the allegedly stolen data.
In the meantime, UnitedHealth, Change Healthcare’s parent company, announced that it has restored most of its systems and services, including the claims network, and that several cybersecurity companies helped it with securing its network, hunting for malicious activity, hardening defenses, and testing the re-deployed systems for security issues.
Related: US Offers $10M Reward for Information on Hive Ransomware Leaders
Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency
Related: Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks
