Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

BlackCat ransomware gang shuts down servers after multi-million dollar UnitedHealth payout — but is this really the end?

ID theft.

The notorious BlackCat ransomware operator (also known as ALPHV) has apparentlly shut down its entire infrastructure, including servers, and websites. 

The circumstances leading up to the decision are unclear, but some things point to a possible exit scam.

Over the weekend, the group shut down its negotiation sites and posted a message on the Tox messaging platform, reading “Everything is off, we decide”. Later during the day, the group changed the message to “GG,” short for “good game”. Gamers usually type “GG” when they concede and decide to quit the game.

Ransomware as a service?

While the group gave no explanation for its sudden termination, one of its affiliates claims to know what happened. Picked up by cybersecurity researchers Recorded Future, a message was posted by someone claiming to be a “longtime” BlackCat affiliate, who were also responsible for the attack on Change Healthcare. 

The attack, which was reported in late February this year, forced some of Change Healthcare’s services offline, and even affected local pharmacies. The company merged with Optum two years ago, in a $7.8 billion deal. Following the ransomware attack, the affiliate criminals claim, Optum paid $22 million in bitcoin (roughly 350 BTC) for sensitive data not to be released online, and for the group to provide the decryption key.

That’s when ALPHV apparently decided to pull the plug. The operators work a ransomware-as-a-service (RaaS) model, where the affiliates get a cut of the ransom payment, but so do the operators. Apparently, there is no honor among thieves, and ALPHV decided to take the entire prize for itself.

While that certainly sounds plausible, BleepingComputer also speculates that the shutdown could be a part of a rebranding effort. BlackCat has already rebranded once in the past and was, until 2020, known as DarkSide.

The affiliates are now stuck with 4TB of Optum’s “critical data,” including “operation data that will affect all Change Healthcare and Optum clients”.

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.