2024-03-06
BlackCat Operators Deploy Exit Scam
The ALPHV/BlackCat ransomware operators appear to have made away with a $22 million ransom payment without sharing the proceeds from the affiliate that actually conducted the attack on Change Healthcare. Soon after, a banner appeared on the group’s website, that made it look as though the site had been taken down by the FBI, the UK’s National Crime Agency (NCA), and other law enforcement organizations. While the agencies have been involved in various takedown efforts over the past few weeks, they say they have not conducted a takedown of this particular group.
Editor's Note
Shock and horror as people realise you can't trust criminals. In all the "to pay or not to pay ransom" debates, the fact you can't trust criminals often seems to be overlooked.

Brian Honan
Feeling flush with a $22 million payment, Black Cat appears to be ready to offer their source code for another $5 million, then set up shop under a new name "off the radar." This would also be a good time to develop new capabilities, for example version 3 of their ransomware has a requirement for victim specific access tokens before it will execute, making analysis or reversing much more difficult. For most of us, just double down on your existing ransomware protections and have your threat hunters keep you apprised of developments.

Lee Neely
Read more in
SC Magazine: New BlackCat ransomware analysis published as leak site goes dark
Ars Technica: After collecting $22 million, AlphV ransomware group stages FBI takedown
Krebs on Security: BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare
Dark Reading: BlackCat Goes Dark After Ripping Off Change Healthcare Ransom
Cyberscoop: Ransomware group behind Change Healthcare attack goes dark
The Record: Europol, DOJ, NCA deny involvement in recent AlphV/BlackCat ‘shutdown’