BlackCat ransomware gang shuts down servers after multi-million dollar UnitedHealth payout — but is this really the end?

News
By Sead Fadilpašić
published

Affiliates fear a BlackCat rugpull, but the media thinks otherwise

ID theft
Image credit: Pixabay (Image credit: Future)

The notorious BlackCat ransomware operator (also known as ALPHV) has apparentlly shut down its entire infrastructure, including servers, and websites. 

The circumstances leading up to the decision are unclear, but some things point to a possible exit scam.

Over the weekend, the group shut down its negotiation sites and posted a message on the Tox messaging platform, reading “Everything is off, we decide”. Later during the day, the group changed the message to “GG,” short for “good game”. Gamers usually type “GG” when they concede and decide to quit the game.

Ransomware as a service?

While the group gave no explanation for its sudden termination, one of its affiliates claims to know what happened. Picked up by cybersecurity researchers Recorded Future, a message was posted by someone claiming to be a “longtime” BlackCat affiliate, who were also responsible for the attack on Change Healthcare. 

The attack, which was reported in late February this year, forced some of Change Healthcare’s services offline, and even affected local pharmacies. The company merged with Optum two years ago, in a $7.8 billion deal. Following the ransomware attack, the affiliate criminals claim, Optum paid $22 million in bitcoin (roughly 350 BTC) for sensitive data not to be released online, and for the group to provide the decryption key.

That’s when ALPHV apparently decided to pull the plug. The operators work a ransomware-as-a-service (RaaS) model, where the affiliates get a cut of the ransom payment, but so do the operators. Apparently, there is no honor among thieves, and ALPHV decided to take the entire prize for itself.

While that certainly sounds plausible, BleepingComputer also speculates that the shutdown could be a part of a rebranding effort. BlackCat has already rebranded once in the past and was, until 2020, known as DarkSide.

The affiliates are now stuck with 4TB of Optum’s “critical data,” including “operation data that will affect all Change Healthcare and Optum clients”.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.