Blackcat Affiliate Behind Change Healthcare Ransomware Claims Group Stole $22 Million Ransom
The ALPHV/Blackcat ransomware group appears to have shut down its ransomware-as-a-service (RaaS) operation, indicating there may be an imminent rebrand. The group claims to have shut down its servers, its ransomware negotiation sites are offline, and a spokesperson for the group posted a message, “Everything is off, we decide.” A status message of “GG” was later added and ALPHV/Blackcat claimed that their operation was shut down by law enforcement and said it would be selling its source code.
Security experts disagree and say there is clear evidence that this is an exit scam, where the group refuses to pay affiliates their cut of the ransom payments and pockets all the funds. ALPHV/Blackcat is a ransomware-as-a-service operation where affiliates are used to conduct attacks and are paid a percentage of the ransoms they generate. Affiliates typically receive around 70% of any ransoms they generate and the ransomware group takes the rest. Following the disruption of the Blackcat operation by law enforcement in December 2023, Blackcat has been trying to recruit new affiliates and has offered some affiliate plus status, where they receive an even bigger cut of the ransom payment. An exit scam is the logical way to wind up the operation and there would likely be few repercussions, other than making it more difficult to recruit affiliates if the group rebrands.
It is not unusual for a ransomware group to shut down operations and rebrand after a major attack, and ALPHV/Blackcat has form for this. ALPHV/Blackcat is believed to be a rebrand of the BlackMatter ransomware operation, which was a rebrand of DarkSide. DarkSide was the ransomware group behind the attack on Colonial Pipeline in 2021 that disrupted fuel supplies on the Eastern Seaboard of the United States. Shortly after the attack, the group lost access to its servers, which they claimed was due to the actions of their hosting company. They also claimed that funds had been transferred from their accounts and suggested they were seized by law enforcement. BlackMatter ransomware only lasted for around 4 months before it was shut down, with the group rebranding in February 2022 as ALPHV/Blackcat.
On March 3, 2024, an affiliate with the moniker Notchy posted a message on Ramp Forum claiming they were responsible for the attack on Change Healthcare. The post was found by Dmitry Smilyanets, a threat researcher at Recorded Future. Notchy claimed they were a long-time affiliate of the ALPHV/Blackcat operation, had “affiliate plus” status, and had been scammed out of their share of the $22 million ransom payment. They claimed that Optum paid a 350 Bitcoin ransom to have the stolen data deleted and to obtain the decryption key. Notchy shared the payment address which shows a $22 million payment had been made to the wallet address and the funds have since been withdrawn. The wallet has been tied to ALPHV/Blackcat as it received payments for previous ransomware attacks that have been attributed to the group.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notchy claimed ALPHV/Blackcat suspended their account following the attack and had been delaying payment before the funds were transferred to Blackcat accounts. Notchy said that Optum paid to have the data deleted but they have a copy of 6TB of data stolen in the attack. Notchy claimed the data includes sensitive information from Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust, tens of insurance companies, and others. The post finishes with a warning to other affiliates that they should stop working with ALPHV/Blackcat. It is unclear what Notchy plans to do with the stolen data and whether he will attempt to extort Change Healthcare or will try to sell or monetize the data.
Fabian Wosar, CTO, Emsisoft, is convinced this is an exit scam. After checking the source code of the law enforcement takedown notice, he said it is clear that Blackcat has recycled it from the December takedown notice. “There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice,” explained Wosar on Twitter. He also reached out to contacts at Europol and the NCA who said they had no involvement in any recent takedown. Currently, neither Change Healthcare nor its parent company UnitedHealth have confirmed if they paid the ransom and issued a statement saying they are currently focused on the investigation.
