ALPHV/BlackCat Ransomware Gang Shuts Down Servers Amid Allegations of $22 Million Scam

The ALPHV/BlackCat ransomware gang has made headlines by shutting down its servers following accusations of scamming an affiliate out of $22 million. This affiliate was reportedly responsible for the attack on Optum, the operator of the Change Healthcare platform in the US.

While their data leak blog has been offline since Friday, negotiation sites remained active over the weekend, according to BleepingComputer. However, it has now been confirmed that the negotiation sites are also shut down, indicating a deliberate move to take down the ransomware gang’s infrastructure.

A message in Russian on the ransomware threat actor’s messaging platform stated that they decided to turn everything off. It remains unclear whether this action signifies an exit scam or a rebrand of the operation under a different name.

Optum allegedly paid a ransom to ALPHV/BlackCat on March 1st, as reported by an alleged ransomware affiliate. This payment was supposedly made to delete data stolen from the Change Healthcare platform and receive a decryptor. However, the affiliate claims that ALPHV suspended their account and took all the money from the wallet after receiving the ransom.

The affiliate, using the username “notchy,” alleges to still possess 4TB of Optum’s critical data, affecting Change Healthcare and Optum clients. They also claim to have data from multiple insurance companies and service providers, including healthcare and cash management.

To support their claims, notchy shared a cryptocurrency payment address with transactions totaling over $23 million. UnitedHealth Group, the parent company of Optum, declined to comment on the ransom payment allegations, stating that they are focused on the investigation.

The recent activity surrounding BlackCat could indicate the beginning of an exit scam, where the ransomware operations deceive their affiliates and shut down their operations after stealing cryptocurrency. This behavior is reminiscent of DarkSide, the gang’s previous incarnation, which shut down following claims of law enforcement transferring cryptocurrency from their wallets.

ALPHV/BlackCat has a history of rebranding, starting as DarkSide in 2020 and going through multiple name changes thereafter. The gang made headlines last year after attacking the Colonial Pipeline in the US, leading to widespread panic and gas shortages. Despite law enforcement actions disrupting their operations, the gang has consistently reemerged under different names.

As the saga continues, the future of ALPHV/BlackCat remains uncertain, with the possibility of a rebrand on the horizon.

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles