The infamous BlackCat ransomware operator (also known as ALPHV) has apparently shut down its entire infrastructure, including servers and websites.
The circumstances leading to the decision are unclear, but some things point to a possible exit scam.
Over the weekend, the group closed its negotiating sites and posted a message on the Tox messaging platform saying “Everything is off, we decide.” Later that day, the group changed the message to “GG,” short for “good game.” Gamers usually type “GG” when they give in and decide to leave the game.
Ransomware as a service?
Although the group offered no explanation for its sudden termination, one of its affiliates claims to know what happened. Spotted by cybersecurity researchers Record Future, a message was posted by someone claiming to be a “longtime” BlackCat partner, who was also responsible for the attack on Change Healthcare.
The attack, reported at the end of February this year, took a number of Change Healthcare services offline and even affected local pharmacies. The company merged with Optum two years ago in a $7.8 billion deal. After the ransomware attack, the affiliated criminals claim, Optum paid $22 million in bitcoin (about 350 BTC) not to release sensitive data online, and to provide the group with the decryption key.
Then ALPHV apparently decided to pull the plug. The operators work with a ransomware-as-a-service (RaaS) model, where the affiliated companies get a share of the ransom, but so do the operators. Apparently there is no honor among thieves, and ALPHV decided to take the entire prize for themselves.
While that certainly sounds plausible, BleepingComputer also speculates that the closure could be part of a rebranding effort. BlackCat has already been renamed once in the past and was known as DarkSide until 2020.
The member companies are now stuck with 4TB of Optum’s ‘critical data’, including ‘operations data that will impact all Change Healthcare and Optum customers’.
Through BleepingComputer