The Great BlackCat Ransomware Heist

Several news outlets, including Reuters, have been covering a fair amount of exciting news regarding the BlackCat ransomware gang, also tracked as ALPHV by this publication.

When this publication last covered BlackCat operations, they were seen exploiting both the Impacket and RemCom frameworks to facilitate infections better.

Now, the ransomware developers are looking to bow out of the operation, not by retiring gracefully but via an exit scam that may be intended to prevent affiliates from being paid out.

The Great BlackCat Ransomware Heist

This drastic change has been blamed on law enforcement, who, according to an ALPHV post on a hacker forum, blamed law enforcement for taking down the operation, as was seen with LockBit recently. The post just said that the "feds screwed us over." No details were provided in the post, but if someone visited the data leak site, they were presented with a takedown notice similar to those seen in the past.

Bleeping Computer spoke to the UK's National Crime Agency (NCA), one of the law enforcement agencies listed on the takedown notice, who confirmed they had not been part of any takedown operations targeting the gang.

The US Federal Bureau of Investigation (FBI) declined to comment on whether there was an operation. This is neither here nor there, as it is standard practice for the FBI only to comment if an official statement is released to the public.

Security researcher Dmitry Smilyanets also noted that suspected BlackCat administrators posted that they would sell the ransomware's source code for 5 million USD. On Monday, March 4, 2024, it was confirmed that those behind BlackCat shut down the negotiation servers.

This was after an affiliate complained via a hacking forum that the ransomware operators stole 20 million USD related to the Change Healthcare ransomware incident. Allegedly, this money was owed to the affiliate, either the whole sum or part of it.

In a separate new article published by Reuters, the forum post of the disgruntled affiliate included a link showing that someone had moved about 350 bitcoins, now worth about 23 million USD as the value of the cryptocurrency rises, from one digital currency wallet to another.

After getting the funds, the recipient address that allegedly belongs to ALPHV operators distributed the bitcoins to various wallets in equal transactions of about 3.3 million USD.

Bleeping Computer noted that while the recipient address is empty, it shows it received and sent close to 94 million USD. And said,

With claims from affiliates not getting paid, a sudden shut down of the infrastructure, cutting ties with multiple affiliates, the "GG" message on Tox, announcing that they're selling the malware source code, and especially pretending that the FBI took control of their websites, all this is a cleart indication that ALPHV/BlackCat ransomware administrators are exit scamming.

Exit scams are often seen in the cryptocurrency world. These are seen when an organization or individual creates a cryptocurrency project, promotes the currency until a monetary threshold is reached, and then disappears with their investor victims' money. It's not always individuals hawking the latest crypto coin.

Some crypto-trading exchanges have vanished after a few months or years of operation. Given the anonymous nature of ransomware operators, the temptation to leave affiliates, often the ones carrying out ransomware infections, must be ever-present.

A Brief History of BlackCat/ALPHV

BlackCat operations can be traced back to 2020, as they were the same developers of DarkSide, infamous for the Colonial Pipeline ransomware incident. DarkSide was quick to adopt the ransomware-as-a-service (RaaS) model, as Bleeping Computer notes,

A RaaS is when core operators develop a ransomware encryptor and negotiation sites and recruit affiliates to use their tools to conduct ransomware attacks and steal data. After a ransom is paid, the operators split the ransom payment, with affiliates and their teams usually receiving 70-80% of the payment and the operation receiving the rest.

The Colonial Pipeline attack drew massive media attention, along with the attention of law enforcement agencies across the globe. This resulted in the malware developer's closing shop, only to return with a new ransomware strain, BlackMatter.

This was also short-lived, as security researchers found a weakness in the encryption routines and were able to develop a free decryptor for victims. Again, the malware developers were content to close the shop.

While BlackMatter operations ceased, the developers did not give up on seeing how lucrative ransomware could be. The ransomware operators returned in November 2021 under the name BlackCat/ALPHV. The gang's official name is ALPHV, although it was unknown then, so researchers called it BlackCat based on the small icon of a black cat used on every victim's negotiation site.

This period is defined by increasingly ugly ransom negotiations with affiliates who threatened physical harm, posting nude photos from stolen data, and aggressively calling out victims.

Again, operators and affiliates were targeted by law enforcement agencies. However, the operation continued with the gang's latest, and hopefully last victim, Change Healthcare.

The healthcare service provider allegedly paid the 22 million USD ransom, bringing us to the current allegations against BlackCat operators by the affiliate responsible for the infection that the ransom was stolen from the affiliate, and we are witnessing an exit scam play out live.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal