Notorious ransomware operator BlackCat (also known as ALPHV) apparently shut down its entire infrastructure, including servers and websites.
The circumstances that led to the decision are unclear, but some things point to a possible exit scam.
Over the weekend, the group shut down its trading sites and posted a message on the Tox messaging platform saying “Everything is fine, we decide.” Later in the day, the group changed the message to “GG,” short for “good game.” Players often write “GG” when they concede and decide to leave the game.
Ransomware as a service?
While the group gave no explanation for its sudden cessation, one of its members claims to know what happened. Picked up by cybersecurity researchers Recorded Future, a message was posted by someone claiming to be a “long-time” affiliate of BlackCat, which was also responsible for the Change Healthcare attack.
The attack, which was reported in late February this year, forced some of Change Healthcare's services to be taken offline and even affected local pharmacies. The company merged with Optum two years ago in a $7.8 billion deal. Following the ransomware attack, the affiliated criminals claim, Optum paid $22 million in bitcoin (approximately 350 BTC) to have the sensitive data not published online and for the group to provide the decryption key.
That's when ALPHV apparently decided to pull the plug. The operators work with a ransomware as a service (RaaS) model, in which the affiliates get a part of the ransom payment, but so do the operators. Apparently, there is no honor among thieves, and ALPHV decided to keep the entire prize.
While this certainly sounds plausible, beepcomputer He also speculates that the closure could be part of a rebranding effort. BlackCat has already changed its name once in the past and, until 2020, was known as DarkSide.
Affiliates are now stuck with 4TB of “critical data” from Optum, including “operational data that will impact all Change Healthcare and Optum customers.”
Through beepcomputer
