US healthcare giant change health care He paid a notorious figure $22 million in extortion money Black cat Ransomware Group (also known asAlfaff) The company is struggling to get its services back online amid a cyberattack that disrupted prescription drug services nationwide for weeks. But the cybercriminals who claim to have given BlackCat access to Change's network say the criminal organization has been defrauded of its share of the ransom and is still in possession of sensitive data that Change reportedly paid BlackCat to destroy. claims. Meanwhile, it appears that BlackCat has completely ceased operations due to information disclosure from affiliated companies.
Image: Varonis.
In the third week of February, a cyber intrusion at Change Healthcare took the company's systems offline and began disrupting critical healthcare services. It soon became clear that BlackCat was behind the attack, which disrupted prescription drug deliveries to hospitals and pharmacies across the country for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint on a Russian-only ransomware forum. lamp Change Healthcare says it paid a $22 million ransom to prevent the decryption key and 4 terabytes of stolen data from being published online.
The affiliate claimed that BlackCat/ALPHV received $22 million but did not pay any portion of the ransom. BlackCat is known as a “ransomware-as-a-service” collective, meaning it relies on freelancers and affiliates to infect new networks with ransomware. Those affiliates then receive a commission of 60-90% of the paid ransom.
“However, after receiving the payment, the ALPHV team decided to suspend our account and kept lying and delaying when we contacted the ALPHV admin,” writes affiliate “Notch” . “Sadly, Change Healthcare data [is] Still with us. ”
Change Healthcare has neither confirmed nor denied the payments, and responded to multiple media outlets with similar non-denial statements that the company is focused on investigating and restoring service.
Assuming Change Healthcare paid to prevent the data from being released, that strategy appears to have failed. Notchy said he was among the list of affected Change Healthcare partners who had sensitive data stolen. medicare and a host of other major insurance and pharmacy networks.
On the bright side, Notchy's indictment appears to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized BlackCat. We have accessed the website and released a decryption tool to help victims recover their systems.
BlackCat responded by reorganizing and increasing affiliate commissions to 90%. The ransomware group also declared that it is officially lifting all restrictions and restraints on targeting hospitals and healthcare providers.
However, BlackCat representatives declined to compensate or appease Notchy, saying today that the group is no longer active and that a buyer for the ransomware's source code has been found.
This seizure notice is currently visible on the BlackCat darknet website.
“There's no point in making excuses,” wrote RAMP member “Ransom.” “Yes, we were aware of the problem and were trying to resolve it. We told our affiliates to wait. You could also submit private chat logs where you are trying to resolve transaction issues, but there is no point in doing that as we have decided to shut down the project completely. I can officially say I messed up.”
BlackCat's website currently features a seizure notice from the FBI, but several researchers believe the image was simply cut and pasted from a notice left by the FBI when it raided BlackCat's network in December. He pointed out that it seems like. The FBI did not respond to requests for comment.
Fabian Wozardhead of ransomware research at a security company Msisoftsaid that BlackCat's leaders appear to be attempting to stage an “exit scam” against affiliates by withholding many ransomware payment fees and shutting down services at once.
“ALPHV/BlackCat was not seized,” Wosar wrote on Twitter/X today. “They are committing affiliate withdrawal fraud. If you check the source code of the new takedown notice, it is obvious.”
Dmitry SmilyanetsResearchers at security firm Record Future say the Black Cat breakaway scam means that the affiliated companies still have all the stolen data and could demand additional payments or leak the information on their own. He said it was particularly dangerous because of its gender.
“The affiliated companies still have this data and are angry that they didn't receive this money,” Smiyanets told Wired.com. “This is a good lesson for everyone. Don't trust criminals. You cannot. Their words are worthless.”
BlackCat's apparent demise comes on the heels of the collapse of another major ransomware group. lock bitis a ransomware gang estimated to have extorted payments of more than $120 million from more than 2,000 victims worldwide. On February 20, LockBit's website was seized by the FBI and the UK's National Crime Agency (NCA) after a months-long infiltration of the group.
LockBit has also attempted to restore its reputation on cybercrime forums by resurfacing with a new darknet website and threatening to publish data from a number of major companies hacked by the group in the weeks and days before the FBI shutdown. did.
However, Rockbit has since appeared to have lost any credibility the group may have once had. For example, after a highly publicized attack on Fulton County, Georgia's government, Rockbit threatened to release Fulton County's data unless a ransom was paid by February 29th. But on February 29th, Rockbit simply deleted the Fulton County entry. The county removed it from its site as well as the sites of several financial institutions that had previously been extorted by the group.
Fulton County held a press conference saying it had never paid a ransom to Rockbit, no one had ever paid a ransom, and echoed others as to why Rockbit did not follow through on its public threat. He said he was confused. County data. Experts said KrebsOnSecurity LockBit likely hesitated because of its bluff, and the FBI likely released its data in a raid.
Smilyanets' comments were brought home in an exposé first published last month in Recorded Future magazine. The magazine quoted NCA officials as saying that Rockbit never deleted the data after the ransom was paid, even though that was the only reason many victims paid the ransom. did.
Rockbit's extortion memos typically say, “If we don't provide you with decryption tools or delete your data after payment, no one will pay us any more.”
I hope more companies are starting to get the memo that paying cybercriminals to delete stolen data is wasteful in the grand scheme of things.
