The notorious BlackCat ransomware operator (also known as ALPHV) has apparentlly shut down its entire infrastructure, including servers, and websites.
The circumstances leading up to the decision are unclear, but some things point to a possible exit scam.
Over the weekend, the group shut down its negotiation sites and posted a message on the Tox messaging platform, reading “Everything is off, we decide”. Later during the day, the group changed the message to “GG,” short for “good game”. Gamers usually type “GG” when they concede and decide to quit the game.
Ransomware as a service?
While the group gave no explanation for its sudden termination, one of its affiliates claims to know what happened. Picked up by cybersecurity researchers Recorded Future, a message was posted by someone claiming to be a “longtime” BlackCat affiliate, who were also responsible for the attack on Change Healthcare.
The attack, which was reported in late February this year, forced some of Change Healthcare’s services offline, and even affected local pharmacies. The company merged with Optum two years ago, in a $7.8 billion deal. Following the ransomware attack, the affiliate criminals claim, Optum paid $22 million in bitcoin (roughly 350 BTC) for sensitive data not to be released online, and for the group to provide the decryption key.
That’s when ALPHV apparently decided to pull the plug. The operators work a ransomware-as-a-service (RaaS) model, where the affiliates get a cut of the ransom payment, but so do the operators. Apparently, there is no honor among thieves, and ALPHV decided to take the entire prize for itself.
While that certainly sounds plausible, BleepingComputer also speculates that the shutdown could be a part of a rebranding effort. BlackCat has already rebranded once in the past and was, until 2020, known as DarkSide.
The affiliates are now stuck with 4TB of Optum’s “critical data,” including “operation data that will affect all Change Healthcare and Optum clients”.
Via BleepingComputer
More from TechRadar Pro
- Change Healthcare hit by major cyberattack — US health tech giant sees website taken offline, login pages unavailable
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now