Cybercrime as-a-service , Fraud Management & Cybercrime , Ransomware

BlackCat Ransomware Group 'Seizure' Appears to Be Exit Scam

Affiliate Claims Administrators Kept All $22 Million Paid by Change Healthcare
BlackCat Ransomware Group 'Seizure' Appears to Be Exit Scam
Security experts say Alphv/BlackCat has faked the supposed law enforcement seizure notice on its Tor site, as seen on March 5, 2024.

The administrators of the BlackCat ransomware-as-a-service group claim law enforcement has shut down their operation, while experts and affiliates accuse the group's leadership of running an exit scam.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

BlackCat's supposed shutdown comes as American healthcare services firm Optum's Change Healthcare unit struggles to recover from a ransomware attack perpetrated by the group. As a result of the attack, Optum has taken over 100 healthcare systems offline as it recovers. Resulting outages have left hundreds of healthcare providers, including U.S. military pharmacies worldwide, unable to receive reimbursement for prescriptions (see: Optum Offering Financial Aid to Some Providers Hit by Outage).

Lawmakers and industry bodies have been calling for federal officials to intervene and help.

The U.S. Department of Health and Human Services on Tuesday said it's in close communication with UnitedHealth Group and actively working to help tackle "potential cash flow concerns" that have been reported by "numerous hospitals, doctors, pharmacies and other stakeholders."

One of the affiliates of BlackCat, aka Alphv, who claimed to behind the Feb. 21 attack, reported that Optum's owner, UnitedHealth Group, recently paid a $22 million ransom over the attack. The affiliate claimed BlackCat kept the entirety of the ransom payment, rather than sharing the affiliate's cut. For most groups, affiliates receive 70% or 80% of every ransom paid.

On Tuesday, BlackCat's Tor-based data leak site resolved to a page that reads: "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat ransomware." While a joint law enforcement operation did seize BlackCat's infrastructure last December, temporarily disrupting the group, ransomware hunter Fabian Wosar, CTO of Emsisoft, said the takedown notice appears to have been recycled.

Both Europol and the U.K.'s National Crime Agency told him they had nothing to do with this supposed takedown. "This is a poor attempt by ALPHV/BlackCat to hide their exit scam," Wosar said. "Don't fall for it."

The ransom purportedly paid by UnitedHealth Group came to light thanks to Dmitry Smilyanets, a threat researcher at Recorded Future, who spotted and shared a late Sunday post to the Ramp cybercrime forum by a user named "Notchy," who claimed to be a longtime affiliate of BlackCat.

Notchy claimed Optum paid BlackCat $22 million "as ransom to prevent data leakage and decryption key" after the ransomware group attacked Change Healthcare.

"After receiving the payment, Alphv team decided to suspend our account and keep lying and delaying when we contacted the Alphv admin on Tox," followed by draining the wallet involved, Notchy said. "Be careful everyone and stop deal with Alphv."

Notchy shared the wallet address allegedly tied to Alphv, which received a total of 1,401 bitcoins, worth over $92 million, before being drained.

Both blockchain analytics firm TRM Labs and Recorded Future have confirmed that on Friday a single cryptocurrency wallet received 350 bitcoins worth about $22 million, Wired reported on Monday. TRM Labs told Wired that two ransom payments sent to BlackCat flowed to the same address in January.

UnitedHealth Group didn't immediately respond to a request for comment.

In a statement provided to, a spokesperson declined to comment on the alleged payment, saying only: "Right now I can share that we are focused on the investigation."

The company has said disruptions resulting from the attack could last for weeks.

Notchy's claims, including one that he is a BlackCat affiliate, couldn't be verified, and neither could BlackCat's role in the Change Healthcare attack.

In the Ramp post, Notchy claimed to still possess 6 terabytes of data stolen from Change Healthcare. He said the data pertains to Medicare, individuals in the U.S. military's Tricare plan, and people who work with CVS Caremark, MetLife, Teachers Health Trust and others.

Whether Notchy might attempt to further extort UnitedHealth Group to pay another ransom isn't clear.

Alphv/BlackCat Claims to Shut Down

BlackCat's leadership has claimed the group's ransomware days are done, according to a Tuesday post to Ramp shared by Smilyanets.

"We decided to completely close the project, we can officially declare that the feds screwed us over," said a Russian-language post from Ramp forum user "Rivka," according to a machine translation. "The source code will be sold, negotiations are already underway on this matter." The company priced the source code at $5 million.

Just as BlackCat faked being disrupted by law enforcement, its claim of shutting down the operation might also be a lie.

Instead, the group might be using this as a short-term ruse to rob English-speaking Western affiliates of their share of the massive Optum ransom payment, said Yelisey Bohuslavskiy, chief research officer at RedSense.

"There would be no repercussions, moral or operational, for scamming the English-speaking members - AlphV knows this," he said. "In other words, they can take the money without any punishment," except of course for burning trust with Western affiliates, though the group might blame them at least in part for assisting in law enforcement's recent disruption.

While BlackCat also claimed to be selling its source code, Bohuslavskiy said the code was relatively old and may have been obtained by law enforcement as part of its December 2023 disruption. Thus, the group might be planning to develop new crypto-locking malware ahead of a reboot. "Nothing prevents them from returning with a new locker, as the Russian-speaking actors will still see them as credible," he said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.