BlackCat Ransomware Group Disappears After $22 Million Payout

In a startling turn of events, the BlackCat ransomware group, also known as ALPHV, has seemingly vanished from the dark web, leaving behind a trail of chaos and a possible exit scam after receiving a $22 million ransom payment from UnitedHealth's Change Healthcare unit (Optum). This incident has cast a spotlight on the inherent risks of the ransomware-as-a-service (RaaS) business model, the volatile allegiances within the cybercriminal underworld and the challenges of negotiating with ransomware groups. 

The BlackCat group, known for its sophisticated RaaS operations, reportedly shut down its darknet website and uploaded a fake law enforcement seizure banner, signaling an exit scam. This move came after the group received a substantial ransom payment and then refused to distribute the proceeds to an affiliate responsible for the attack. The refusal to share the ransom sparked allegations from a disgruntled affiliate, shedding light on the dynamics within cybercriminal networks.

Fabian Wosar, a respected security expert, debunked on twitter the claim of a law enforcement seizure posted on the BlackCat's website, indicating it as a cover for their exit scam:

The U.K.'s National Crime Agency confirmed to Reuters it had no hand in the disruption to BlackCat's infrastructure, raising doubts about the legitimacy of law enforcement involvement and points toward a self-imposed shutdown by the BlackCat group. 

Further complicating the story, an affiliate took to a Russian-language cybercrime forum to voice grievances against BlackCat for not receiving their cut from the ransom payment, claiming to have terabytes of data stolen from Change Healthcare. This action underlines the precarious nature of trust within the cybercriminal ecosystem and highlights the risks involved in ransomware operations. Security experts, echoing these concerns, emphasize the dangers of engaging with cybercriminal entities. Not only does it put the victim organizations at risk, but it also shows the unreliability and predatory nature of these groups, even towards their own members.

Before this alleged exit scam, BlackCat had managed to regain control of their infrastructure following a law enforcement takedown in December 2023, continuing their operations without major setbacks. In February, U.S. Department of State announced rewards of up to $15M for information about Blackcat.

Security Experts Predict Blackcat Will Emerge Under a New Brand

BlackCat has a history of rebranding, previously operating under names like DarkSide and BlackMatter, suggests a pattern of regrouping under new identities following law enforcement actions or internal conflicts. This tactic of rebranding and the use of exit scams are indicative of the adaptability and resilience of cybercriminal groups in the face of law enforcement efforts.

The cyberattack on Change Healthcare by the BlackCat ransomware gang has caused significant disruptions across the U.S. healthcare system, affecting healthcare providers' operations and patient care. The Department of Health and Human Services (HHS) is actively working to mitigate these impacts by aiding in claim processing, addressing financial challenges faced by healthcare organizations, and maintaining patient care continuity. This incident highlights the vulnerability of critical healthcare infrastructure to cyber threats and underscores the need for robust security measures.