There is evidence that the US healthcare giant Change healthcare made a $22 million extortion payment to the infamous man Black cat Ransomware group (also known as “ALPHV“) as the company struggles to bring its services back online while a cyberattack has crippled prescription drug services nationwide for weeks. However, the cybercriminal, who claims to have given BlackCat access to Change's network, says the crime gang cheated them out of their share of the ransom and that they still have the sensitive data that Change is allegedly paying the group to destroy have. Meanwhile, the subsidiary's disclosure appears to have prompted BlackCat to cease operations entirely.
Image: Varonis.
In the third week of February, a cyberattack at Change Healthcare crippled critical healthcare services as the company's systems were taken offline. It soon emerged that BlackCat was behind the attack, which disrupted the delivery of prescription drugs to hospitals and pharmacies across the country for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already attributed to BlackCat received a single transaction worth about $22 million. On March 3, a BlackCat partner posted a complaint on the exclusive Russian-language ransomware forum ramp Change Healthcare paid a $22 million ransom for a decryption key and prevented four terabytes of stolen data from being published online.
The partner claimed that BlackCat/ALPHV accepted the $22 million payment but never paid him his share of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or partners to infect new networks with their ransomware. And these partners, in turn, earn commissions of 60 to 90 percent of the ransom amount paid.
“But after receiving the payment, the ALPHV team decided to block our account and continued to lie and hesitate when we contacted the ALPHV administrator,” wrote the Notchy affiliate. “Unfortunately for Change Healthcare, their data [is] still with us.”
Change Healthcare has neither confirmed nor denied the payment and responded to multiple media outlets with a similar, non-denying statement: The company is focused on its investigation and restoring services.
Given that Change Healthcare paid to prevent their data from being made public, that strategy appears to have failed: Notchy said the list of affected Change Healthcare partners from which they had stolen sensitive data was included Medicare and a variety of other large insurance and pharmacy networks.
On the bright side, Notchy's complaint appeared to be the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of this operation, the government seized BlackCat's website and released a decryption tool to help victims restore their systems.
BlackCat responded by regrouping and increasing affiliate commissions to up to 90 percent. The ransomware group also said it would officially lift any restrictions or deterrents against attacks on hospitals and healthcare providers.
However, instead of responding that they would compensate and appease Notchy, a BlackCat representative said today that the group was shutting down and that it had already found a buyer for its ransomware source code.
The seizure notice is now displayed on the BlackCat darknet website.
“There’s no point in apologizing,” wrote RAMP member “Ransom.” “Yes, we knew about the problem and tried to solve it. We told the partner to wait. We could send you our private chat logs in which we are shocked by everything that is happening and try to solve the problem with the transactions by charging a higher fee, but that makes no sense because we have decided to abandon the project completely close. We can officially say we were screwed by the government.”
An FBI seizure notice is now posted on BlackCat's website, but several researchers noted that this image appears to have simply been cut and pasted from the notice the FBI left behind when it raided the BlackCat network in December. The FBI did not respond to requests for comment.
Fabian WosarHead of ransomware research at the security company Emsisoftsaid it appears BlackCat executives are trying to run an “exit scam” against partners by withholding many ransomware payment commissions at once and shutting down the service.
“ALPHV/BlackCat has not been confiscated,” Wosar wrote on Twitter/X today. “They cheat on their partners. It is obvious when checking the source code of their new takedown notice.”
Dmitry SmilyanetsA researcher at security firm Recorded Future said the BlackCat exit scam was particularly dangerous because the partner still had all of the stolen data and could still demand additional payment or reveal the information themselves.
“The partners still have that data and are angry that they didn’t receive that money,” Smilyanets told Wired.com. “It's a good lesson for everyone. You can't trust criminals; Your word is worth nothing.”
BlackCat's apparent demise comes hot on the heels of the implosion of another major ransomware group – LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On February 20, LockBit's website was seized by the FBI and the UK's National Crime Agency (NCA) after months of infiltrating the group.
LockBit also attempted to restore its reputation on cybercrime forums by resurfacing on a new dark web site and threatening to release data from a number of major companies hacked by the group in the weeks and days leading up to the FBI attack became.
But LockBit now appears to have lost any credibility the group once had. For example, after a highly publicized attack on the government of Fulton County, Georgia, LockBit threatened to release Fulton County's data unless a ransom was paid by February 29. But when February 29 rolled around, LockBit simply deleted the listing for Fulton County from its website, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that neither LockBit nor anyone else had paid a ransom on their behalf, and that they, like everyone else, were in the dark as to why LockBit never followed through on its threat to release the data circle. Experts told KrebsOnSecurity that LockBit likely shied away because it was a bluff and that the FBI likely took that data away from them in their raid.
Smilyanets' comments are backed up by revelations first published by Recorded Future last month. The company quoted an NCA official as saying that LockBit never deleted the data after paying a ransom, even though that was the only reason many of its victims paid.
“If we do not provide you with decryption programs or delete your data after payment, no one will pay us in the future,” LockBit extortion notes usually say.
Hopefully, more and more companies will understand that paying cybercriminals to delete stolen data is a completely hopeless endeavor.