The ALPHV/BlackCat ransomware group’s operations seem to have halted amid allegations of defrauding an affiliate involved in the Optum attack, which targeted the Change Healthcare platform, resulting in a loss of $22m.
Over the weekend, negotiation sites linked to the ransomware activities were confirmed to have been shut down, indicating a possibly deliberate dismantling of the gang’s infrastructure. However, the exact motive behind this shutdown remains ambiguous, with speculations ranging from a potential exit scam to a rebranding initiative.
Change Healthcare, a critical component of the US healthcare system, was the primary target of the attack recently claimed by ALPHV/BlackCat. An affiliate implicated in the assault accused the gang of excluding them and fleeing with the substantial ransom paid by Optum on March 1.
“The claim regarding the affiliate payment is interesting, but [...] untrustworthy. For a RaaS operation to work, the affiliates and the core group must trust each other, so ‘stealing’ or withholding payment from an affiliate would be very unusual,” commented Stephen Robinson, senior threat intelligence analyst at WithSecure.
“However, cybercriminals often make efforts to stay below the radar of law enforcement, and to avoid committing attacks which will have real-world impacts leading to focused attention from international law enforcement.”
Read more on the breach: Change Healthcare Cyber-Attack Leads to Prescription Delays
According to Mitiga COO, Ariel Parnes, this incident underscores the intricate nature of Ransomware-as-a-Service (RaaS) operations and the responsibility of governments to prepare defenses against them.
“These cybercrime groups are resilient, often lacking a central vulnerability, which allows them to swiftly recover from attacks. Despite this, the emergence of such action-reaction dynamics in cyber confrontations should not dissuade nations from utilizing their defensive capabilities,” the executive explained.
“A more effective approach involves a multidimensional, international campaign. This strategy should integrate offensive cyber countermeasures with traditional tools of national power, fostering a collective defense against cyber-threats.”
The history of ALPHV/BlackCat, formerly known as DarkSide, is marked by various rebrands amid notable attacks and confrontations with law enforcement agencies. Despite facing setbacks, the group has persisted, showcasing the difficulties in combating sophisticated cybercriminal enterprises.