BlackCat Goes Dark After Ripping Off Change Healthcare Ransom

March 5, 2024 – Published on Dark Reading

After days of outages that have caused chaos across the US healthcare system, United Healthcare’s Change Healthcare subsidiary decided the best bet was to pay off the BlackCat/ALPHV ransomware affiliate that breached its systems on Feb. 23. Unsurprisingly, paying the extortion didn’t provide the tidy end to the cyber incident that the healthcare technology services provider hoped it would.

Experts speculate it’s possible that the Change Healthcare ransomware attack, and by association the US healthcare system more broadly, is wrapped up in a potential exit strategy for the BlackCat admins — who are burning affiliate bridges and going after one last big payday before abandoning their brand and existing infrastructure altogether.

Now, BlackCat has shuttered its leak site and put its RaaS source code up for sale for $5 million for anyone who’s interested, it announced by way of its Tor chat over the past day or so. It’s stunning reversal after a string of high-profile attacks, and doubly so given BlackCat’s position as the top ransomware gang now that LockBit has been sidelined by a law-enforcement action.

By way of explanation, the ransomware gang is blaming “the feds” for interfering again with its business. But experts including Nic Finn, a senior threat intelligence consultant at GuidePoint Security, don’t see any evidence that the BlackCat servers were shut down by law enforcement this time around.

“There’s a lot of speculation that BlackCat is initiating an exit scam, in which they steal the ransom payments from their affiliates before shutting down their infrastructure and breaking communications,” Finn says. “Their decision to make it look like it’s another FBI takedown would help them delay any negative response from their affiliates in the interim.”

Read More HERE.