The threat actors behind the BlackCat ransomware have taken down their darknet site and may have carried out an exit scam after uploading a fake law enforcement seizure banner.
Security researcher Fabian Wosar said: “ALPHV/BlackCat has not been detected. They are defrauding their affiliates.” explain. “This is very apparent when you examine the source code of the new takedown notices.”
“There is absolutely zero reason for law enforcement to place only a saved version of a takedown notice during a seizure rather than the original takedown notice.”
Britain’s National Crime Agency (NCA) told Reuters it was not involved in any disruption to BlackCat’s infrastructure.
Recorded Future security researcher Dmitry Smilyanets release Screenshot from social media platform
The company allegedly received $22 million in ransom from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with the affiliate that carried out the attack.
The company did not comment on the alleged ransom payment, saying it was only focusing on the investigation and recovery aspects of the incident.
According to DataBreaches, the disgruntled affiliate made the accusation on the RAMP cybercrime forum and the affiliate’s account has been suspended by administrators. “They emptied their wallets and took all the money,” they said.
This sparked speculation that BlackCat staged an exit scam to evade scrutiny and resurface under a new brand in the future. A former administrator of a ransomware group said that “the rebranding is pending.”
BlackCat’s infrastructure was seized by law enforcement in December 2023, but the electronic criminal gang managed to seize control of the servers and restart operations without any major consequences. The organization has previously carried out activities under the names “DarkSide” and “BlackMatter”.
Malachi Walker, a security consultant at DomainTools, said: “BlackCat may have internal concerns about a mole within its organization, so preemptively shutting down the store may prevent an attack before it occurs.”
“On the other hand, this exit scam could just be an opportunity for BlackCat to take the cash and run away. With cryptocurrencies once again reaching all-time highs, the gang can get away with selling their products at a ‘high price’. In the world of cybercrime, reputation is everything, and BlackCat appears to be severing ties with its affiliates through these actions. “
As malware research group VX-Underground emerges, the group apparently dies and abandons its infrastructure report LockBit ransomware operations no longer support Lockbit Red (also known as Lockbit 2.0) and StealBit (a custom tool used by threat actors for data exfiltration).
LockBit has also attempted to save face by moving some of its activities to a new darknet portal after a coordinated law enforcement operation dismantled its infrastructure last month following a months-long investigation.
At the same time, Trend Micro revealed that a ransomware family called RA World (formerly RA Group) has successfully penetrated healthcare, financial and insurance companies in the United States, Germany, India, Taiwan and other countries since its emergence in April 2023. .
The cybersecurity firm noted that the group’s attacks “involved multi-stage components designed to ensure the maximum impact and success of the group’s operations.”
