BlackCat Goes Dark After Ripping Off Change Healthcare Ransom

After days of outages that have caused chaos across the US healthcare system, United Healthcare's Change Healthcare subsidiary decided the best bet was to pay off the BlackCat/ALPHV ransomware affiliate that breached its systems on Feb. 23. Unsurprisingly, paying the extortion didn't provide the tidy end to the cyber incident that the healthcare technology services provider hoped it would.

Experts speculate it's possible that the Change Healthcare ransomware attack, and by association the US healthcare system more broadly, is wrapped up in a potential exit strategy for the BlackCat admins — who are burning affiliate bridges and going after one last big payday before abandoning their brand and existing infrastructure altogether.

BlackCat & the Change Healthcare Ransomware Drama

After Change Healthcare reportedly deposited $22 million in a Bitcoin wallet as a ransomware payment, BlackCat admins were accused on the Dark Web of swooping in and grabbing all the cash for themselves, cutting their affiliates out of their part of the loot.

A message posted on a Dark Web site from a disgruntled affiliate for the ransomware-as-a-service (RaaS) gang, claiming to be responsible for the Change Healthcare ransomware breach, said they were still in possession of 4TB of critical data that includes stolen information from Change partners CVS-Caremark, Health Net, MetLife. The message threatened to leak it if BlackCat didn't deliver the cut that the affiliate was promised. The post concluded with a warning to other would-be affiliates: "Be careful everyone and stop dealing with ALPHV."

BlackCat's RaaS business has been on shaky footing ever since its servers were seized by law enforcement last December, compromising the group's entire infrastructure. BlackCat was able to recover and stand up new servers, but nonetheless, law enforcement had access to its code.

If true, BlackCat admins stealing the $22 million Change Healthcare ransom payment would represent a "cutthroat betrayal" that could indeed signal the end of BlackCat, according to Ferhat Dikbiyk, head of research at Black Kite.

"An exit scam is quite common in black markets, but not so common between Russian ransomware groups," Dikbiyik says. "Yet, in the digital shadows, such a move could be likened to a rebranding effort, a chance to slip away from the limelight and re-emerge with a clean slate."

Evidence of BlackCat Exit Strategy

Now, BlackCat has shuttered its leak site and put its RaaS source code up for sale for $5 million for anyone who's interested, it announced by way of its Tor chat over the past day or so. It's stunning reversal after a string of high-profile attacks, and doubly so given BlackCat's position as the top ransomware gang now that LockBit has been sidelined by a law-enforcement action.

By way of explanation, the ransomware gang is blaming "the feds" for interfering again with its business. But experts including Nic Finn, a senior threat intelligence consultant at GuidePoint Security, don't see any evidence that the BlackCat servers were shut down by law enforcement this time around.

"There's a lot of speculation that BlackCat is initiating an exit scam, in which they steal the ransom payments from their affiliates before shutting down their infrastructure and breaking communications," Finn says. "Their decision to make it look like it's another FBI takedown would help them delay any negative response from their affiliates in the interim."

After all, building a base of reliable affiliates is the secret sauce that makes the RaaS business happen. And publicly burning an affiliate would certainly deter prospective partners from getting involved with BlackCat, indicating the admins don't seem to have many future plans for the business in its current form.

Bitcoin Value, Ukraine, Other Potential Factors in BlackCat Breakup

Malachi Walker, security advisor with DomainTools, pointed out in an emailed statement that it's possible that BlackCat admins decided to cash out of the business and rip off affiliates at this time because the value of Bitcoin is hitting all-time highs.

Or, Ukraine is another possible reason BlackCat leadership is ready to cash out, Walker added.

"Another possibility is that this exit scam is a result of Russia tapping BlackCat on the shoulder and telling them to quit their side hustle and pivot attention to leverage their ransomware capabilities in the war against Ukraine," Walker said. "Whatever the case may be, these actions by BlackCat are of great interest."

Regardless of who exactly is behind the BlackCat moves, Ariel Parnes, COO and co-founder of Mitiga, said the evidence shows there is undeniably effort being made to destabilize the BlackCat ransomware operation.

"While it might appear that BlackCat has voluntarily ceased its activities, a closer examination suggests a more complex scenario," Parnes says. "The simultaneous deactivation of their servers, coinciding with the allegations of defrauding their associates, hints at a potentially expansive effort to undermine BlackCat's standing."

And while honor among thieves is usually in short supply, in the cybercrime world, brand is everything.

"The operational sustainability of such cybercriminal entities heavily relies on their credibility within their clandestine ecosystem," Parnes adds. "A compromise to their reputation could critically weaken their operational foundation, posing an existential threat."

Change Healthcare meanwhile said in a statement to Dark Reading, "We are focused on the investigation."