BlackCat Goes Dark After Ripping Off Change Healthcare Ransom

We Keep you Connected

BlackCat Goes Dark After Ripping Off Change Healthcare Ransom

Source code fire sale, stiffing affiliates — are BlackCat admins intentionally burning their RaaS business to the ground? Experts say something’s up.
March 5, 2024
After days of outages that have caused chaos across the US healthcare system, United Healthcare's Change Healthcare subsidiary decided the best bet was to pay off the BlackCat/ALPHV ransomware affiliate that breached its systems on Feb. 23. Unsurprisingly, paying the extortion didn't provide the tidy end to the cyber incident that the healthcare technology services provider hoped it would.
Experts speculate it's possible that the Change Healthcare ransomware attack, and by association the US healthcare system more broadly, is wrapped up in a potential exit strategy for the BlackCat admins — who are burning affiliate bridges and going after one last big payday before abandoning their brand and existing infrastructure altogether.
After Change Healthcare reportedly deposited $22 million in a Bitcoin wallet as a ransomware payment, BlackCat admins were accused on the Dark Web of swooping in and grabbing all the cash for themselves, cutting their affiliates out of their part of the loot.
A message posted on a Dark Web site from a disgruntled affiliate for the ransomware-as-a-service (RaaS) gang, claiming to be responsible for the Change Healthcare ransomware breach, said they were still in possession of 4TB of critical data that includes stolen information from Change partners CVS-Caremark, Health Net, MetLife. The message threatened to leak it if BlackCat didn't deliver the cut that the affiliate was promised. The post concluded with a warning to other would-be affiliates: "Be careful everyone and stop dealing with ALPHV."
BlackCat's RaaS business has been on shaky footing ever since its servers were seized by law enforcement last December, compromising the group's entire infrastructure. BlackCat was able to recover and stand up new servers, but nonetheless, law enforcement had access to its code.
If true, BlackCat admins stealing the $22 million Change Healthcare ransom payment would represent a "cutthroat betrayal" that could indeed signal the end of BlackCat, according to Ferhat Dikbiyk, head of research at Black Kite.
"An exit scam is quite common in black markets, but not so common between Russian ransomware groups," Dikbiyik says. "Yet, in the digital shadows, such a move could be likened to a rebranding effort, a chance to slip away from the limelight and re-emerge with a clean slate."
Now, BlackCat has shuttered its leak site and put its RaaS source code up for sale for $5 million for anyone who's interested, it announced by way of its Tor chat over the past day or so. It's stunning reversal after a string of high-profile attacks, and doubly so given BlackCat's position as the top ransomware gang now that LockBit has been sidelined by a law-enforcement action.
By way of explanation, the ransomware gang is blaming "the feds" for interfering again with its business. But experts including Nic Finn, a senior threat intelligence consultant at GuidePoint Security, don't see any evidence that the BlackCat servers were shut down by law enforcement this time around.
"There's a lot of speculation that BlackCat is initiating an exit scam, in which they steal the ransom payments from their affiliates before shutting down their infrastructure and breaking communications," Finn says. "Their decision to make it look like it's another FBI takedown would help them delay any negative response from their affiliates in the interim."
After all, building a base of reliable affiliates is the secret sauce that makes the RaaS business happen. And publicly burning an affiliate would certainly deter prospective partners from getting involved with BlackCat, indicating the admins don't seem to have many future plans for the business in its current form.
Malachi Walker, security advisor with DomainTools, pointed out in an emailed statement that it's possible that BlackCat admins decided to cash out of the business and rip off affiliates at this time because the value of Bitcoin is hitting all-time highs.
Or, Ukraine is another possible reason BlackCat leadership is ready to cash out, Walker added.
"Another possibility is that this exit scam is a result of Russia tapping BlackCat on the shoulder and telling them to quit their side hustle and pivot attention to leverage their ransomware capabilities in the war against Ukraine," Walker said. "Whatever the case may be, these actions by BlackCat are of great interest."
Regardless of who exactly is behind the BlackCat moves, Ariel Parnes, COO and co-founder of Mitiga, said the evidence shows there is undeniably effort being made to destabilize the BlackCat ransomware operation.
"While it might appear that BlackCat has voluntarily ceased its activities, a closer examination suggests a more complex scenario," Parnes says. "The simultaneous deactivation of their servers, coinciding with the allegations of defrauding their associates, hints at a potentially expansive effort to undermine BlackCat's standing."
And while honor among thieves is usually in short supply, in the cybercrime world, brand is everything.
"The operational sustainability of such cybercriminal entities heavily relies on their credibility within their clandestine ecosystem," Parnes adds. "A compromise to their reputation could critically weaken their operational foundation, posing an existential threat."
Change Healthcare meanwhile said in a statement to Dark Reading, "We are focused on the investigation."
Becky Bracken, Editor, Dark Reading

You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Enterprise Cybersecurity Plans in a Post-Pandemic World
The Infoblox Q1 2021 Cyberthreat Intelligence Report
Secure Access for Operational Technology at Scale
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
Mandiant Threat Intelligence at Penn State Health
2023 Snyk AI-Generated Code Security Report
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.