The menace actors behind the BlackCat ransomware have shut down their darknet web site and certain pulled an exit rip-off after importing a bogus legislation enforcement seizure banner.
“ALPHV/BlackCat didn’t get seized. They’re exit scamming their associates,” safety researcher Fabian Wosar mentioned. “It’s blatantly apparent if you verify the supply code of the brand new takedown discover.”
“There may be completely zero motive why legislation enforcement would simply put a saved model of the takedown discover up throughout a seizure as a substitute of the unique takedown discover.”
The U.Okay.’s Nationwide Crime Company (NCA) informed Reuters that it had no connection to any disruptions to the BlackCat infrastructure.
Recorded Future safety researcher Dmitry Smilyanets posted screenshots on the social media platform X wherein the BlackCat actors claimed that the “feds screwed us over” and that they meant to promote the ransomware’s supply code for $5 million.
The disappearing act comes after it allegedly acquired a $22 million ransom cost from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the assault.
The corporate has not commented on the alleged ransom cost, as a substitute stating it is solely centered on investigation and restoration facets of the incident.
In accordance with DataBreaches, the disgruntled affiliate – which had its account suspended by the executive workers – made the allegations on the RAMP cybercrime discussion board. “They emptied the pockets and took all the cash,” they mentioned.
This has raised speculations that BlackCat has staged an exit rip-off to evade scrutiny and resurface sooner or later underneath a brand new model. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.
BlackCat had its infrastructure seized by legislation enforcement in December 2023, however the e-crime gang managed to wrest management of their servers and restart its operations with none main penalties. The group beforehand operated underneath the monikers DarkSide and BlackMatter.
“Internally, BlackCat could also be anxious about moles inside their group, and shutting up store preemptively might cease a takedown earlier than it happens,” Malachi Walker, a safety advisor with DomainTools, mentioned.
“However, this exit rip-off would possibly merely be a chance for BlackCat to take the money and run. Since crypto is as soon as once more at an all-time excessive, the gang can get away with promoting their product ‘excessive.’ Within the cybercrime world, fame is all the pieces, and BlackCat appears to be burning bridges with its associates with these actions.”
The group’s obvious demise and the abandonment of its infrastructure come as malware analysis group VX-Underground reported that the LockBit ransomware operation not helps Lockbit Crimson (aka Lockbit 2.0) and StealBit, a customized software utilized by the menace actor for information exfiltration.
LockBit has additionally tried to avoid wasting face by transferring a few of its actions to a brand new darkish internet portal after a coordinated legislation enforcement operation took down its infrastructure final month after a months-long investigation.
It additionally comes as Development Micro revealed that the ransomware household often called RA World (previously RA Group) has efficiently infiltrated healthcare, finance, and insurance coverage firms within the U.S., Germany, India, Taiwan, and different international locations since rising in April 2023.
Assaults mounted by the group “contain multi-stage elements designed to make sure most affect and success within the group’s operations,” the cybersecurity agency famous.