Blackcat ransomware turns off servers following claims of $22M ransom

The ALPHV/BlackCat ransomware group has shut down its servers amid allegations of scamming an affiliate for $22 million. 

What happened 

Change Healthcare's platform, targeted in the attack on Optum, is a vital component of the US healthcare system. The Tox messaging platform used by BlackCat displayed a cryptic message indicating their decision to cease operations. An affiliate claiming responsibility for the Optum attack alleged that after Optum paid the ransom, BlackCat confiscated the funds and suspended their account. The affiliate, known as "notchy," still possesses 4TB of data from Optum, including critical information affecting multiple clients. 

To validate their claim, notchy shared cryptocurrency transaction records. UnitedHealth Group, Optum's parent company, declined to comment on the alleged ransom payment. The shutdown of negotiation sites suggests deliberately dismantling BlackCat's infrastructure, raising speculation about an exit scam. 

This mirrors the closure of DarkSide, a precursor to BlackCat, which cited law enforcement intervention. Such claims may emerge if BlackCat shuts down following recent law enforcement actions against their servers.

See also: 

• How ransomware emails impact healthcare security
• HIPAA Compliant Email: The Definitive Guide
• HHS warns healthcare sector about ransomware group

The backstory

On February 21, 2024, a cyberattack occurred at Change Healthcare, severely disrupting its operations. It was alleged that the “notorious” ransomware group BlackCat was behind the attack after UnitedHealth claimed it had been targeted by a "suspected nation-state associated cybersecurity threat actor."

Go deeper: Blackcat ransomware gang behind ongoing Change Healthcare disruption

Why it matters

4TB of Optum data is still in the hands of cybercriminals, indicating that the attack may not be over, despite Optum having paid the ransom. This corroborates cybersecurity experts’ advice for organizations not to pay the ransom because “paying provides monetary support for malicious organizations and doesn't necessarily prevent information from being sold.”  

Go deeper: Report: Companies are refusing to pay ransoms

The big picture

BlackCat ransomware group's actions demonstrate the ongoing threat posed by ransomware attacks and the potential for cybercriminals to double-cross each other, potentially leading to more financial losses and disruptions for victims. Due to substantial data still being in the possession of Optum, ChangeHealth may continue to endure the effects of its systems being hacked. 

FAQs

What happens if an organization pays a ransom but the encrypted data is not released?

Paying the ransom does not guarantee the successful recovery of encrypted data, and organizations may find themselves in a vulnerable position even after making the payment. Therefore, it is generally not recommended to pay the ransom, and organizations should instead focus on implementing cybersecurity measures and exploring alternative options for data recovery and incident response.

Can I recover my files without paying the ransom?

In some cases, cybersecurity professionals may be able to decrypt ransomware-encrypted files or restore access to locked systems without paying the ransom. However, recovery options depend on the specific type of ransomware and the extent of the damage caused.

Can I recover my files or unlock my system after paying the ransom?

While cybercriminals may provide a decryption key or unlock code after receiving the ransom payment, there is no guarantee that it will successfully restore access to your files or system. In some cases, the decryption key may be faulty, or the encryption may be too strong to decrypt without significant computational resources.