The recent halt in operations of the ALPHV/BlackCat ransomware group has raised suspicions of fraudulence towards an affiliate involved in the Optum attack. This attack targeted the Change Healthcare platform and resulted in a substantial loss of $22 million.
The shutdown of negotiation sites linked to the ransomware activities over the weekend suggests a deliberate dismantling of the gang’s infrastructure. However, the exact reason behind this shutdown remains unclear, leading to speculations ranging from a potential exit scam to a rebranding effort.
Change Healthcare, a crucial component of the US healthcare system, was the main target of the attack claimed by ALPHV/BlackCat. An affiliate linked to the assault has accused the gang of excluding them and taking off with a significant ransom paid by Optum on March 1.
Stephen Robinson, a senior threat intelligence analyst at WithSecure, commented on the situation, stating that the claim regarding the affiliate payment is interesting but may not be entirely trustworthy. He highlighted the importance of trust between affiliates and the core group in a Ransomware-as-a-Service operation, making it unusual for payment to be withheld or stolen. Robinson also emphasized the efforts made by cybercriminals to evade law enforcement and avoid attacks that draw international attention.
Ariel Parnes, the COO of Mitiga, pointed out that this incident showcases the complexity of RaaS operations and the need for government defenses against them. He highlighted the resilience of cybercrime groups and the importance of a multidimensional, international approach to combatting cyber threats. Parnes suggested integrating offensive cyber countermeasures with traditional national power tools to create a collective defense mechanism.
The history of the ALPHV/BlackCat group, previously known as DarkSide, has been marked by rebrands, notable attacks, and clashes with law enforcement agencies. Despite facing setbacks, the group has persisted, underscoring the challenges of combating sophisticated cybercriminal organizations.
Overall, the halt in ALPHV/BlackCat’s operations amidst allegations of defrauding an affiliate in the Optum attack raises questions about the integrity of ransomware groups and the ongoing battle against cyber threats. The incident serves as a reminder of the evolving nature of cybercrime and the need for a unified, strategic approach to cybersecurity at both national and international levels.