[ad_1]
There are signs that the American healthcare giant Change health care has made a $22 million extortion payment to the infamous Black cat ransomware group (also known as “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the criminal gang scammed them out of their share of the ransom and that they still have the sensitive data that Change reportedly paid the group to destroy. . Meanwhile, the subsidiary’s disclosure appears to have led BlackCat to cease operations entirely.
Image: Varonis.
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as the company’s systems went offline. It was soon learned that BlackCat was behind the attack, which has stopped the delivery of prescription drugs for hospitals and pharmacies nationwide for almost two weeks.
On March 1, a cryptocurrency address that security researchers had already assigned to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint on the Russian-only ransomware forum. Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key and to prevent four terabytes of stolen data from being posted online.
The affiliate claimed that BlackCat/ALPHV accepted the $22 million payment but never paid him his share of the ransom. BlackCat is known as a “ransomware-as-a-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates, in turn, earn commissions ranging from 60 to 90 percent of any ransom amount paid.
“But after receiving the payment, the ALPHV team decided to suspend our account and continue lying and delaying when we contacted the ALPHV administrator,” wrote affiliate “Notchy.” “Unfortunately for Change Healthcare, their data is still with us.”
Change Healthcare has neither confirmed nor denied the payment and has responded to multiple media outlets with a similar non-denial statement: that the company is focused on their investigation and restoring services.
Assuming Change Healthcare paid to prevent its data from being published, that strategy appears to have backfired: Notchy said the list of affected Change Healthcare partners from whom sensitive data had been stolen included State health insurance and a number of other major insurance and pharmacy networks.
The good thing is that Notchy’s complaint appears to have been the final nail in the coffin of the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized by BlackCat. website and launched a decryption tool to help victims recover their systems.
BlackCat responded by reforming and increasing affiliate commissions by up to 90 percent. The ransomware group also stated that it was formally removing any restrictions or discouragements against hospitals and healthcare providers.
However, instead of responding that they would compensate and appease Notchy, a BlackCat representative said today that the group was shutting down and had already found a buyer for its ransomware source code.
The seizure notice is now displayed on the BlackCat dark website.
“There’s no point in making excuses,” wrote RAMP member “Ransom.” “Yes, we knew about the problem and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that is happening and are trying to solve the problem with transactions using a higher fee, but there is no point in doing so because we decided to completely close the project. “We can officially say that the feds screwed us.”
BlackCat’s website now features an FBI seizure notice, but several researchers noted that this image appears to have been simply cut and pasted from the notice the FBI left in its December raid on BlackCat’s network. The FBI has not responded to requests for comment.
Fabian Wosarhead of ransomware research at security company Emsisoftsaid it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.
“ALPHV/BlackCat was not confiscated,” Wosar wrote on Twitter/X today. “They are coming out of scamming their members. It’s blatantly obvious when you look at the source code of their new takedown notice.”
Dmitry SmilyanetsA researcher at security firm Recorded Future, said the BlackCat exit scam was especially dangerous because the affiliate still has all of the stolen data and could still demand additional payment or leak the information on their own.
“The affiliates still have this data and are angry because they did not receive this money,” Smilyanets he told Wired.com. “It’s a good lesson for everyone. Criminals cannot be trusted; “His word is worthless.”
The apparent demise of BlackCat comes on the heels of the implosion of another major ransomware group: BlockBit, a ransomware gang that is estimated to have extorted more than $120 million in payments from more than 2,000 victims worldwide. On February 20, LockBit’s website was seized by the FBI and the UK’s National Crime Agency (NCA) following a months-long infiltration of the group.
LockBit also attempted to restore its reputation on cybercrime forums by resurrecting itself on a new darknet website and threatening to reveal data from several major companies that were hacked by the group in the weeks and days leading up to the FBI takedown.
But LockBit appears to have since lost any credibility the group ever had. After a highly publicized attack on the government of Fulton County, Georgia, for example, LockBit threatened to release Fulton County data unless a ransom was paid by February 29. But when February 29 rolled around, LockBit simply removed Fulton’s entry. County from its site, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that they had not paid a ransom to LockBit, nor had anyone on their behalf, and that they were as baffled as everyone else as to why LockBit never followed through on their threat to release the data. County. Experts told KrebsOnSecurity that LockBit probably resisted because he was bluffing, and that the FBI probably relieved them of that data in their raid.
Smilyanets’ comments are reflected in revelations first published last month by Recorded Future, which aforementioned An NCA official said LockBit never deleted data after receiving a ransom payment, although that is the only reason many of its victims paid.
“If we don’t give you decryptors or delete your data after payment, no one will pay us in the future,” LockBit extortion notes often read.
Hopefully, more companies are starting to understand that paying cybercriminals to delete stolen data is a losing proposition.