Ransomware group behind Change Healthcare attack goes dark
The criminal hacking group that claimed credit for the crippling ransomware attack on Change Healthcare — an incident that is roiling U.S. health care providers and threatening some with financial ruin — has shuttered its website, posting an apparently fake law enforcement takedown notice and claiming it would sell its source code.
The group, known interchangeably as ALPHV or BlackCat, posted the fake seizure notice some time between late Monday evening and early Tuesday after reports that it had received a ransom payment from Change Healthcare — and then refused to distribute it to the affiliate that had carried out the attack.
In a post to an underground criminal forum Sunday, a person claiming to be an ALPHV affiliate — a member of a group that carries out ransomware attacks using ALPHV’s tools in exchange for splitting the proceeds of any ransomware payments — claimed that Change Healthcare’s parent company had made a $22 million ransom payment. Rather than share the proceeds, ALPHV administrators took the money for themselves, according to a screenshot of the post highlighted by Recorded Future analyst Dmitry Smilyanets.
By Tuesday, an ALPHV administrator claimed that group had “decided to completely close the project” because “the feds screwed us over,” according to a screenshot of the post shared by Smilyanets.
Around the same time, ALPHV put up the apparently fake seizure notice, and in a post to a messaging service used by the group said it was selling its source code for $5 million.
Cybercrime researchers broadly agree that the FBI seizure notice is almost certainly fake and appears to have been copied and pasted from a previous seizure of ALPHV-related infrastructure. Researchers point to several factors supporting the conclusion, including inconsistent HTML source code compared to legitimate seizure notices, the post coinciding with claims that ALPHV administrators have scammed one of their affiliates and the fact that at least one of the law enforcement agencies listed on the takedown notice — the U.K.’s National Crime Agency — has denied any involvement.
ALPHV administrators did not respond to a CyberScoop request for comment Tuesday.
A Change Healthcare spokesperson did not respond to questions about the apparent $22 million payment late Monday. “We remain focused on the investigation and recovery of our operations,” the spokesperson said in an email.
Meanwhile, the U.S. Department of Health and Human Services said Tuesday it was taking steps to help facilitate payment processing and other financial support measures to support health care providers, many of whom are facing cash flow problems amid the ongoing ransomware attacks.
CyberScoop could not confirm that Change Healthcare made the payment, which was revealed in the forum post from the angry ALPHV affiliate. That post made reference to a cryptocurrency wallet that received a March 1 payment of roughly 350 bitcoin — approximately $22.7 million — which was then split equally between seven additional accounts. Cybercrime researchers have linked the wallet that received the 350 bitcoin payment to previous ALPHV operations.
Cybercrime researchers said that by taking payment and closing up shop, ALPHV appears to be carrying out a classic exit-scam. Researchers caution that ALPHV/BlackCat will likely rebrand and reemerge in the near future — as it has before.
Late last year, the FBI carried out a takedown operation against ALPHV, only to see the group immediately restart operations. Will Thomas, a cybercrime researcher and SANS instructor, said that ALPHV affiliates likely lost millions of dollars due to the decryption operations carried out by law enforcement as part of that operation, and it was no surprise that they have decided to shut down.
“But as this group is a rebrand that can be traced backed to both DarkSide and BlackMatter, it would not be a surprise if they return once more in the not too distant future,” Thomas said.
In an interview with the cybercrime blog Databreaches.net, a “now-former” ALPHV admin said that they’d also been locked out of the ALPHV infrastructure, and “confirmed that the admin(s) had stolen the affiliate’s funds and also confirmed that Change Healthcare had been given a decryptor after they paid.” The former admin also said that a re-branding is “pending.”
Fabian Wosar, a ransomware researcher with Emsisoft, described in a series of posts on the social media platform X how it was “blatantly obvious” that the group was “exit scamming their affiliates” with the phony law enforcement seizure notice. Wosar pointed to the HTML source code on the website showing signs that it had been copied and pasted from a legitimate seizure.
The notice is identical to the one posted to the old ALPHV site in December after that FBI disruption operation.
A Department of Justice spokesperson told CyberScoop late Tuesday that “this was not an official U.S. law enforcement action.”
The FBI did not respond to multiple requests for comment Tuesday. The U.K.’s National Crime Agency told Reuters that it played no role in any disruptions to the ALPHV infrastructure.
If confirmed, the $22 million ransom payment could encourage further attacks on the health care sector. “We saw this in the case of the Conti chat logs where they identified certain sectors of being more likely to pay,” Kurtis Minder, the co-founder and CEO of GroupSense and a longtime ransomware negotiator, told CyberScoop in an online chat, referring to leaked internal documents and chats from the Conti ransomware gang that documented how they would target industries with a history of paying ransoms.
But Minder said he was sympathetic toward executives who chose to pay ransoms. “In many cases if they don’t pay / pay quickly they go out of business or people are harmed.”
Amir Sadon, the director of incident response research with Sygnia, told CyberScoop that in this case it’s not yet clear what happened between the group and its affiliates, what law enforcement’s role was, or whether the group is actually shutting down.
Given the uncertainties, Change Healthcare may receive the short-term relief of having its data decrypted, but that doesn’t mean the threat is over.
“In most cases, once you pay the ransom, you will have some sort of guarantee that the group who attacked you will keep their part of the deal, but obviously you can never be sure when you are dealing with criminals,” said Sadon, who published an analysis Tuesday of a 2023 Sygnia incident response engagement dealing with an ALPHV/BlackCat attack.
Ultimately, the erratic developments surrounding ALPHV in recent days highlights the nature of this slice of the cybercrime underworld, said Brett Callow, a threat analyst with Emsisoft.
“Gangs are sometimes said to be organized like legitimate businesses, but this shows the chaos that exists within the ecosysytem,” he said. “Criminals scamming criminals.”
Updated, March 5, 2024: This story has been updated to include comment from the U.S. Department of Justice.