ALPHV/BlackCat Fakes Law Enforcement Takedown to Scam Affiliates

The ransomware ecosystem has been unstable since LockBit was dismantled by law enforcement in late February, leaving a power vacuum after the gang had raked in over $1 billion in stolen funds over the past two years. Blackcat/ALPHV, another major ransomware organization, appears to have faked a similar fate, posting a false takedown notice on their leak site:

Security researcher Fabian Wosar, Head of Ransomware Research at Emisoft, highlighted discrepancies in the source code of the takedown notice and how it’s hosted, which indicated ALPHV did not get seized.

“I also reached out to contacts at Europol and the NCA, and neither of them had any idea what I was even talking about and declined any sort of involvement,” Wosar said. “So again, this is a poor attempt by ALPHV/BlackCat to hide their exit scam. Don't fall for it.”

ALPHV claimed responsibility for the recent Change Healthcare cyberattack, which has severely disrupted pharmacies and hospitals across the U.S. Industry experts say the attack is costing them $100 million a day in deferred revenue. The financial impact and effects on patient care have so far landed this cyberattack among the worst in health care services this year.

On March 1, a Bitcoin address associated with ALPHV received a $22 million transaction. Two days later, a person who claims to be an affiliate of the ransomware gang posted to the cybercriminal Ramp Forum that ALPHV had scammed them out of $20M and suspended their account before emptying the wallet and taking the money.

According to a screenshot shared via vx-underground, the disgruntled affiliate clams Change Healthcare paid to prevent data leakage and to access a decryption key. The affiliate also claims they are still in possession of 4TB of critical data which affects high-profile Change Health partners, including Medicare, Tricare, CVS-CareMark, Health Net, MetLife, and more.

In an attempt to offer proof, the affiliate linked to the Bitcoin payment address and warned others to stop dealing with ALPHV.

A former admin of ALPHV told DataBreaches they had nothing to do with the Change Healthcare attack and that they were also locked out. They confirmed that the admin(s) stole the affiliate’s payout and that Change Healthcare had been given the decryptor after paying.

ALPHV posted in the Ramp Forum claiming “the feds screwed us over” and said they “decided to completely close the project.” They are selling their source code for $5M.

Security experts, and even the admin on the Ramp Forum, are calling this a classic exit scam. These types of scams are particularly prevalent in unregulated or loosely regulated sectors, where oversight is minimal and the promise of high returns can lure in victims. In this case it’s one criminal group scamming another, while critical infrastructure suffers collateral damage.

ALPHV has vanished with a tidy sum, and experts predict the group may cut its affiliate losses and resurface under a new name to carry on with their RaaS activities.

The U.S. Department of Justice (DOJ) temporarily seized the ALPHV/Blackcat leak site in December 2023, and released a decryption tool to more than 500 victims around the world. After “unseizing” its leak site, the ransomware group escalated hostility, removing all rules regarding attacks on hospitals, nuclear plants, and other previously restricted domains. At that time, ALPHV increased the payout rate for affiliates to 90%, eliminated discounts for companies, and introduced private affiliate programs with isolation from other affiliates, in an attempt to retain its network.

While the DOJ’s temporary seizure of ALPHV’s site in December appeared to only inflame the ransomware group, in hindsight it seems to have delivered a blow to their affiliates’ confidence, as their attacks slowed and ALPHV has now shown itself to the door.

Absconding with the Change Healthcare ransom payment will likely burn any remaining bridges ALPHV had with affiliates, and the group will require a total rebranding and overhaul if they plan to continue RaaS activity under a new name.