BlackCat Ransomware Group Shutdown After Pulling $22 Million Exit Scam

The saga surrounding the BlackCat ransomware (ALPHV Ransomware) has taken a dramatic turn as the threat actors behind it have seemingly vanished, leaving confusion and speculation in their wake. Reports indicate that they orchestrated an exit scam, shutting down their darknet website and leaving affiliates in the lurch.

Security researcher Fabian Wosar highlighted the suspicious nature of the event, pointing out discrepancies in the supposed law enforcement seizure banner uploaded to the site. This move, according to Wosar, is a clear indicator of an exit scam rather than a legitimate seizure by authorities.

Despite claims of law enforcement involvement, the U.K.'s National Crime Agency denied any connection to the disruption of BlackCat's infrastructure. Screenshots shared by Recorded Future security researcher Dmitry Smilyanets revealed the ransomware actors' intention to sell their source code for a hefty sum of $5 million, citing interference from law enforcement as the reason for their abrupt disappearance.

The situation escalated further with allegations that BlackCat received a massive $22 million ransom payment from UnitedHealth's Change Healthcare unit and failed to share it with an affiliate involved in the attack. The disgruntled affiliate, whose account was suspended by BlackCat's administrative staff, aired their grievances on the RAMP cybercrime forum, accusing BlackCat of deceitfully emptying the shared wallet.

Speculation abounds regarding BlackCat's future, with some suggesting a rebranding effort to evade scrutiny and continue operations under a new identity. The group's troubled history, including previous seizures of their infrastructure, adds to the intrigue surrounding their sudden disappearance.

Malachi Walker, a security advisor, offered insights into possible motives behind the exit scam, citing concerns about internal security and the allure of cashing out while cryptocurrency values are high. This move, however, risks damaging the group's reputation and eroding trust among their affiliates.

The demise of BlackCat coincides with developments in the ransomware landscape, including shifts in the operations of other groups like LockBit and the emergence of new threats such as RA World. These incidents underscore the evolving nature of cyber threats and the challenges faced by organizations in defending against them.