Getty Images/iStockphoto

Alphv/BlackCat leak site goes down in possible exit scam

An Alphv/BlackCat affiliate accused the ransomware gang of stealing a ransom payment worth more than $20 million that may have been obtained in the Change Healthcare attack.

The Alphv/BlackCat data leak site has been taken down, and although the site currently features a law enforcement seizure notice, security experts say the ransomware gang has likely conducted an exit scam.

Alphv/BlackCat is a highly prolific ransomware gang that has taken credit for a number of high profile attacks such as those against gaming giant MGM Resorts and healthcare payment software provider Change Healthcare; the latter attack, conducted last month, has resulted in major service disruptions for healthcare organizations such as pharmacies.

The U.S. Department of Justice announced on Dec. 19 an international law enforcement operation against the ransomware-as-a-service group that was led by the FBI and included collaboration from Europol and authorities from several other countries. As part of the takedown, the FBI developed a decryption tool and seized multiple websites belonging to Alphv/BlackCat.

Although the takedown appeared to disrupt the gang, CISA published an advisory in late February stating that nearly 70 victims were listed to Alphv/BlackCat's data leak site since mid-December and that healthcare was the most targeted sector. "This is likely in response to the ALPHV Blackcat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023," CISA said in the advisory.

The Alphv/BlackCat story has evolved further, as security researchers such as Dominic Alvieri noted early Tuesday morning that a law enforcement seizure notice was posted to the gang's data leak site on the dark web.

Emsisoft's head of ransomware research Fabian Wosar said in a post to X, formerly Twitter, that the gang's operators were exit scamming its affiliates by keeping extortion payments obtained in ransomware attacks without paying the affiliates who conducted the attacks. Wosar based his assessment on evidence such as discrepancies in how this new "seizure notice" is hosted as opposed to an actual seizure notice. He also said Europol and the U.K.'s National Crime Agency "declined any sort of involvement."

Recorded Future product management director Dmitry Smilyanets pointed out in a post on X that an alleged Alphv/BlackCat affiliate recently claimed on a dark web forum called RAMP that the gang was paid $22 million as an extortion payment for the attack the affiliate conducted against Change Healthcare, but that Alphv/BlackCat withheld its payment. "Be careful everyone and stop deal with ALPHV," the alleged affiliate said.

On March 1, Alphv administrators received a payment that corresponds to the $22 million referenced by the supposed affiliate. Wired first reported the transaction, which was traced to a cryptocurrency wallet associated with Alphv/BlackCat by Recorded Future and TRM Labs, a blockchain analytics firm. Change Healthcare has not commented on whether it paid the ransom.

Malware research collective VX-Underground published a timeline of the Alphv/BlackCat drama to X Tuesday morning. According to the account, the affiliate's RAMP post was made on March 3.

"Researchers believe Change Healthcare paid $22,000,000. Change Healthcare has not publicly confirmed or denied paying the ransom. ALPHV administration displayed a status online [via P2P messaging protocol Tox] saying 'Everything is off, we decide.' Shortly after it was changed to 'GG' - 'Good Game'," VX-Underground wrote.

On March 4, VX-Underground said, other Alphv affiliates were seeing their accounts closed and administrators were unresponsive. The post claimed Alphv administrators relayed a message blaming the FBI for unclear reasons. Then, Alphv administrators put the gang's ransomware source code up for sale for $5 million. On Tuesday morning, the "takedown notice" was displayed.

Adam Meyers, CrowdStrike's senior vice president of counter adversary operations, told TechTarget Editorial that actions of Alphv/BlackCat, which the vendor tracks as Alpha Spider, appear to be an exit scam based on current evidence.

"Based on currently available information -- this appears to be an exit scam based on ALPHA SPIDER's inability to provide evidence contradicting the accusations lodged against the adversary," he said in an email. "Additionally, LE organizations have not issued statements suggesting that they have compromised the newest Alphv dedicated leak site (DLS) and there is a possibility that the seizure notice was directly copied from the seizure notice published to the old Alphv DLS."

UPDATE: The FBI and CISA declined to comment. A spokesperson from Europol said the agency "is not involved in the mentioned action."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Dig Deeper on Data security and privacy

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing