After days of widespread outages that have wreaked havoc across the US healthcare system, United Healthcare’s Change Healthcare subsidiary made the decision to pay off the BlackCat/ALPHV ransomware affiliate that breached its systems on February 23. Unfortunately, the ransom payment did not bring the cyber incident to a neat conclusion as was hoped.
The aftermath of the Change Healthcare ransomware attack has sparked speculation that it may be part of an exit strategy for the BlackCat administrators. It is believed that the administrators are cutting ties with their affiliates and aiming for one last significant payday before abandoning their current brand and infrastructure altogether.
Following the reported payment of $22 million in Bitcoin as ransom, the BlackCat administrators allegedly swooped in and took all of the money for themselves, leaving their affiliates empty-handed. A message from a disgruntled affiliate on the Dark Web claimed to still hold critical data amounting to 4TB, which includes stolen information from Change partners such as CVS-Caremark, Health Net, and MetLife. The affiliate threatened to release this data if they did not receive their promised share of the ransom. This incident has sent shockwaves through the cybercrime community and serves as a cautionary tale to other potential affiliates.
BlackCat’s ransomware-as-a-service (RaaS) business has been under pressure since its servers were seized by law enforcement in December, compromising the group’s infrastructure. Despite efforts to recover by standing up new servers, law enforcement still had access to their code, creating ongoing vulnerabilities.
The latest development in this saga sees BlackCat announcing the sale of their RaaS source code for $5 million and shutting down their leak site. This surprising turn of events comes amidst speculations of an exit scam orchestrated by the administrators. The decision to blame law enforcement interference in order to delay negative responses from affiliates further adds to the intrigue surrounding BlackCat’s motives.
Several theories have emerged to explain BlackCat’s sudden change of direction. The soaring value of Bitcoin and potential involvement in the conflict between Russia and Ukraine have been cited as potential reasons for their actions. The deliberate effort on the part of BlackCat to destabilize their own operation is evident, leaving observers puzzled about the true intentions behind their recent moves.
Experts in the cybersecurity field have highlighted the importance of reputation in the criminal underworld. A compromise to their standing could have serious implications for their operational capabilities, potentially leading to their downfall. The implications of BlackCat’s actions are being closely monitored by industry experts, with a keen interest in uncovering the motivations behind their unexpected maneuvers.
Change Healthcare has issued a statement indicating that they are fully focused on the investigation into the ransomware attack. The fallout from this incident continues to unfold, shedding light on the complex and ever-evolving landscape of cybersecurity threats facing the healthcare industry and beyond. As the story continues to develop, the implications of these events are sure to reverberate across the cybersecurity landscape in the days and weeks to come.