The threat actors behind the BlackCat ransomware shut down their website in the darknet and likely launched an exit scam after uploading a fake law enforcement seizure banner.
“ALPHV/BlackCat have not been seized. They are defrauding their affiliates,” said security researcher Fabian Wosar She said. “It’s blatantly obvious when you check the source code of the new takedown notice.”
“There is absolutely no reason why law enforcement should simply insert a saved version of the takedown notice during a seizure instead of the original takedown notice.”
The UK’s National Crime Agency (NCA) told Reuters it had no link to any disruption to the BlackCat infrastructure.
Recorded future security researcher Dmitry Smilyanets published screenshot on social media platform
The disappearing act comes after it allegedly received a $22 million ransom from UnitedHealth’s (Optum) Change Healthcare unit and refused to share the proceeds with an affiliate that carried out the attack.
The company did not comment on the alleged ransom payment, instead saying it was focused only on the investigation and recovery aspects of the incident.
According to DataBreaches, the disgruntled affiliate, whose account was suspended by the administration, made the allegations on cybercrime forum RAMP. “They emptied his wallet and took all the money,” they said.
This raised speculation that BlackCat staged an exit scam to evade scrutiny and reemerge in the future under a new brand. “There’s a re-branding going on,” said a former administrator of the ransomware group.
In December 2023, BlackCat’s infrastructure was seized by law enforcement, but the e-crime group managed to take control of its servers and restart its operations without major consequences. The group previously operated under the nicknames DarkSide and BlackMatter.
“Internally, BlackCat may be concerned about moles within their group, and preemptively shutting down shop could prevent a takedown before it happens,” said Malachi Walker, security consultant at DomainTools.
“On the other hand, this exit scam could simply be an opportunity for BlackCat to take the money and run. Given that cryptocurrencies are once again at all-time highs, the gang can get away with selling their product” at high prices “. In the world of cybercrime, reputation is everything, and BlackCat appears to be burning ties with its affiliates with these actions.”
The group’s apparent demise and abandonment of its infrastructure comes with the VX-Underground malware research group reported that the LockBit ransomware operation no longer supports Lockbit Red (also known as Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.
LockBit also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation destroyed its infrastructure last month following a months-long investigation.
Additionally, Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, financial, and insurance companies in the United States, Germany, India, Taiwan, and other countries since it emerged in April 2023.
The attacks launched by the group “involve multi-stage components designed to ensure maximum impact and success in the group’s operations,” the cybersecurity firm noted.