After days of outages causing chaos in the US healthcare system, United Healthcare’s Change Healthcare subsidiary decided its best solution was to pay off the BlackCat/ALPHV ransomware affiliate that breached its systems on February 23. provide the orderly conclusion to the cyber incident that the healthcare technology provider was hoping for.
Experts speculate that it is possible that the Change Healthcare ransomware attackand by association the US healthcare system more generally, is embroiled in a potential exit strategy for BlackCat administrators, who are burning affiliate bridges and chasing one last big payday before abandoning their brand and l existing infrastructure.
BlackCat and the Dramatic Change in Healthcare Ransomware
After Change Healthcare reportedly deposited $22 million into a Bitcoin wallet as payment for the ransomware, BlackCat administrators have been accused on the Dark Web of meddling and grabbing all the money for themselves, excluding their affiliates from their share of the loot.
A message posted on a dark website by a disgruntled affiliate of the ransomware-as-a-service (RaaS) gang, which claims to be responsible for the Change Healthcare ransomware breach, claims they were still in possession of 4TB of critical data which include information stolen from Change partners CVS-Caremark, Health Net, MetLife. The message threatened to leak if BlackCat did not deliver the promised cut to the affiliate. The post concluded with a warning to other potential affiliates: “Be careful everyone and stop dealing with ALPHV.”
BlackCat’s RaaS business has been on shaky ground since its inception the servers were seized by the police last December, compromising the group’s entire infrastructure. BlackCat managed to recover and create new servers, but law enforcement nevertheless gained access to its code.
If true, BlackCat administrators’ theft of Change Healthcare’s $22 million ransom would represent a “heartless betrayal” that could effectively signal the end of BlackCat, according to Ferhat Dikbiyk, head of research at Black Kite.
“An exit scam is quite common in black markets, but not so common among Russian ransomware groups,” says Dikbiyik. “However, in the digital shadows, such a move could be likened to a rebranding effort, an opportunity to escape the limelight and reemerge with a clean slate.”
Evidence of BlackCat’s exit strategy
Now, BlackCat has shut down its leak site and put its RaaS source code up for sale for $5 million to anyone interested, it announced via its Tor chat over the last few days or so. It is a striking reversal after a series of high-profile attacksand doubly so given BlackCat’s position as the best ransomware gang now that LockBit was sidelined by law enforcement action.
By way of explanation, the The ransomware gang is blaming “the feds” for interfering again with his business. But experts, including Nic Finn, senior threat intelligence consultant at GuidePoint Security, see no evidence that the BlackCat servers were shut down by law enforcement this time.
“There is a lot of speculation that BlackCat is running an exit scam, where they steal ransom payments from their affiliates before shutting down their infrastructure and cutting off communications,” Finn says. “Their decision to make it appear as if this was another FBI attack would help them delay any negative response from their affiliates in the meantime.”
After all, building a reliable affiliate base is the secret sauce that makes RaaS business happen. And publicly burning an affiliate would certainly discourage potential partners from getting involved with BlackCat, indicating that the administrators don’t appear to have many future plans for the company in its current form.
Bitcoin Value, Ukraine, Other Potential Factors in BlackCat Breakup
Malachi Walker, security consultant at DomainTools, pointed out in an emailed statement that it is possible that BlackCat administrators decided to cash in on the business and screw over affiliates right now because the value of Bitcoin is reaching all-time highs .
Or, Ukraine is another possible reason BlackCat leadership is ready to cash out, Walker added.
“Another possibility is that this exit scam is the result of Russia tapping BlackCat on the shoulder telling them to abandon their side hustle and focus their attention on leveraging their ransomware capabilities in the war against Ukraine,” Walker said. “Whatever the case, these actions by BlackCat are of great interest.”
Regardless of who exactly is behind BlackCat’s moves, Ariel Parnes, COO and co-founder of Mitiga, said the evidence shows that efforts are undeniably being made to destabilize the BlackCat ransomware operation.
“While it may appear that BlackCat has voluntarily ceased its activities, closer examination suggests a more complex scenario,” says Parnes. “The simultaneous deactivation of their servers, coinciding with fraud allegations against their associates, suggests a potentially expansive effort to undermine BlackCat’s position.”
And while honor among thieves is usually in short supply, in the world of cybercrime, branding is everything.
“The operational sustainability of such cybercriminal entities depends to a large extent on their credibility within their clandestine ecosystem,” adds Parnes. “A compromise to their reputation could severely weaken their bases of operations, posing an existential threat.”
Change Healthcare meanwhile said in a statement to Dark Reading: “We are focused on the investigation.”