Demonstrating once again that there is no honor among cyber criminals, the ALPHV/BlackCat ransomware gang left its affiliates holding the bag by pulling an exit scam on the way out.
BlackCat affiliates were left complaining on dark web forums that they had breached victims successfully, but that the ransomware gang had not paid out their percentage and had become unresponsive. This was shortly followed by the abrupt closure of affiliate accounts, and a law enforcement seizure notice posted to its dark web site that does not appear to be legitimate.
BlackCat ransomware gang appears to have finally disbanded
The ransomware gang’s strange behavior likely stems from a December takedown of its data leak site by international law enforcement. BlackCat kept operating in the wake of the attack, and in fact racked up numerous new victims throughout January and February.
The exit scam seemingly began on the first day of March. One of its affiliates breached US-based payment services provider Change Healthcare, which appears to have made a $22 million payment to the ransomware gang in Bitcoin. But by March 3, the affiliate was on a dark web forum complaining that BlackCat had not paid out their cut and that their administrators could not be reached.
On March 4, the complaints ramped up as the ransomware gang reportedly began closing affiliate accounts without prior warning. This was followed by a post offering the group’s source code for sale for $5 million, and what appears to be a fake law enforcement seizure notice on its data leak site. The group has since resurfaced to formally announce that it is shutting down, and that it has secured a buyer for its software.
Despite the continued high activity in January and February the late 2023 law enforcement operation appeared to rattle BlackCat, forcing the group to quickly shift to new infrastructure. The ransomware gang also attempted to placate affiliates by reducing their share of any successful breaches to 10% of the take. There has not yet been any notice from the FBI or other previously involved parties about a new operation, and some security researchers point to oddities in the site’s code that indicate the new takedown notice was a fabrication to facilitate the exit scam.
Researchers with cybersecurity firm Trustwave recently published an analysis of the “Version 3” of the group’s ransomware, likely what was just sold to an unknown party. The malware may continue to cause trouble due to stealth features that prevent researchers from analyzing code samples using conventional methods, as well as very effectively hiding from security scanning tools.
Future unclear for BlackCat after bold exit scam
The pattern here will likely be the same as it has for so many ransomware gangs: draw too much attention with too many attacks, break up due to law enforcement attention, and rebrand under a different name. The wrinkle with BlackCat is that this is the first example of one of these “industry leading” groups pulling an exit scam on their affiliates on the way out the door.
BlackCat leadership will have trouble trading on their former name, and security researchers are usually able to note when former members (and malware tools) have resurfaced in a new gang.
BlackCat was among the latest groups to draw special attention from law enforcement due to the quantity of its attacks, and due to the damage of some of them spilling over into mainstream news. The ransomware gang was involved with the shutdown of computer systems across MGM’s casino-hotels on the Vegas Strip last year, causing tourism chaos just ahead of the city’s first F1 race event. The more recent attack on Change Healthcare also made news as numerous patient care providers and pharmacies lost their ability to file insurance claims for an extended period; this in turn disrupted patient access to prescription drugs covered by their insurance, in some cases forcing them to pay full price for necessary meds until the problem was resolved. And in another attack on a health care network, one of BlackCat’s affiliates stole and leaked nude photos of cancer patients as a pressure tactic.
BlackCat has already been through the dissolution-and-rebrand process at least twice. It is thought to be composed of core members of DarkSide, the group that achieved notoriety for its attacks on US and Brazil infrastructure in 2021. Those attacks began the initial pattern of law enforcement heavily targeting big ransomware gangs that cross the line with their activities. Before becoming BlackCat, these members are thought to have also operated as BlackMatter for a period in 2021.
Malachi Walker, Security Advisor at DomainTools, notes that the price of crypto and/or pressure from the Russian government might have also prompted the messy exit scam: “On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product “high.” Another possibility is that this exit scam is a result of Russia tapping BlackCat on the shoulder and telling them to quit their side hustle and pivot attention to leverage their ransomware capabilities in the war against Ukraine. Whatever the case may be, these actions by BlackCat are of great interest. In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions.”
Erich Kron, Security Awareness Advocate at KnowBe4, advises that the group’s ransomware will likely remain in circulation: “This demonstrates the dangers of dealing with criminals, even for other criminals. The closure is also a lesson in the fact that sometimes, data will not be recoverable after a ransomware attack, so it’s important that organizations have good backups. In this case, organizations that are currently negotiating with the affiliates are likely to find that because the infrastructure is being taken down by the developers, there will be no way to get the data recovered. It is possible that the sale of the source code could turn up vulnerabilities that will later allow for the decryption of data, but that is a long shot. It is critical that modern organizations have good backups in place as well as a strong human-focused security program that teaches employees to spot and report phishing attacks, the favorite way the modern ransomware spreads.”