The risk actors behind the BlackCat ransomware have shut down their darknet web site and sure pulled an exit rip-off after importing a bogus regulation enforcement seizure banner.
“ALPHV/BlackCat didn’t get seized. They’re exit scamming their associates,” security researcher Fabian Wosar stated. “It’s blatantly apparent while you verify the supply code of the brand new takedown discover.”
“There may be completely zero motive why regulation enforcement would simply put a saved model of the takedown discover up throughout a seizure as a substitute of the unique takedown discover.”
The U.Okay.’s Nationwide Crime Company (NCA) advised Reuters that it had no connection to any disruptions to the BlackCat infrastructure.
Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X by which the BlackCat actors claimed that the “feds screwed us over” and that they supposed to promote the ransomware’s supply code for $5 million.
The disappearing act comes after it allegedly acquired a $22 million ransom fee from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the assault.
The corporate has not commented on the alleged ransom fee, as a substitute stating it is solely centered on investigation and restoration elements of the incident.
In response to DataBreaches, the disgruntled affiliate – which had its account suspended by the executive workers – made the allegations on the RAMP cybercrime discussion board. “They emptied the pockets and took all the cash,” they stated.
This has raised speculations that BlackCat has staged an exit rip-off to evade scrutiny and resurface sooner or later beneath a brand new model. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.
BlackCat had its infrastructure seized by regulation enforcement in December 2023, however the e-crime gang managed to wrest management of their servers and restart its operations with none main penalties. The group beforehand operated beneath the monikers DarkSide and BlackMatter.
“Internally, BlackCat could also be frightened about moles inside their group, and shutting up store preemptively might cease a takedown earlier than it happens,” Malachi Walker, a security advisor with DomainTools, stated.
“Then again, this exit rip-off may merely be a chance for BlackCat to take the money and run. Since crypto is as soon as once more at an all-time excessive, the gang can get away with promoting their product ‘excessive.’ Within the cybercrime world, status is the whole lot, and BlackCat appears to be burning bridges with its associates with these actions.”
The group’s obvious demise and the abandonment of its infrastructure come as malware analysis group VX-Underground reported that the LockBit ransomware operation not helps Lockbit Purple (aka Lockbit 2.0) and StealBit, a customized instrument utilized by the risk actor for knowledge exfiltration.
LockBit has additionally tried to save lots of face by shifting a few of its actions to a brand new darkish internet portal after a coordinated regulation enforcement operation took down its infrastructure final month after a months-long investigation.
It additionally comes as Development Micro revealed that the ransomware household referred to as RA World (previously RA Group) has efficiently infiltrated healthcare, finance, and insurance coverage firms within the U.S., Germany, India, Taiwan, and different nations since rising in April 2023.
Attacks mounted by the group “contain multi-stage parts designed to make sure most influence and success within the group’s operations,” the cybersecurity agency famous.
