BlackCat ransomware shuts down in exit scam blames the feds
pRafel RAT targets outdated Android phones in ransomware attacksppPhoenix UEFI vulnerability impacts hundreds of Intel PC modelsppCDK Global outage caused by BlackSuit ransomware attackppLinux version of RansomHub ransomware targets VMware ESXi VMsppChemical facilities warned of possible data theft in CISA CSAT breachppChrome for Android tests feature that securely verifies your ID with sitesppNew attack uses MSC files and Windows XSS flaw to breach networksppFour FIN9 hackers indicted for cyberattacks causing 71M in lossesppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to open a Windows 11 Command Prompt as AdministratorppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppThe BlackCat ransomware gang is pulling an exit scam trying to shut down and run off with affiliates money by pretending the FBI seized their site and infrastructureppThe gang announced they are now selling the source code for the malware for the hefty price of 5 millionppOn a hacker forum ALPHV said that they decided to close the project because of the feds without providing additional details or a clarificationppHowever a national law enforcement agency listed on the seizure banner confirmed to BleepingComputer that they were not involved in any recent disruption of ALPHV infrastructureppThe ransomware gang started the exitscam operation on Friday when they took their Tor data leak blog offline On Monday they further shut down the negotiation servers saying that they decided to turn everything off amid complaints from an affiliate that the operators stole a 20 million Change Healthcare ransom from themppYesterday the gangs status on Tox changed to GG good game hinting at the end of the operation and later to selling source code 5kk indicating that they wanted 5 million for their malwareppIn a message on a hacker forum shared by Recorded Futures Dmitry Smilyanets the administrators of the operation said that they decided to completely close the project and we can officially declare that the feds screwed us overppAt the time of writing the ALPHV leak site shows a fake banner announcing that the Federal Bureau of Investigation FBI seized the server in a coordinated law enforcement action taken against ALPHV Blackcat RansomwareppWhile the FBI has declined to comment on the seizure notice Europol and the NCA told BleepingComputer that they are not involved in any recent disruption to ALPHVs infrastructure even though they are listed on the fake seizure messageppBleepingComputer noticed that the seizure banner image is hosted under a folder named THIS WEBSITE HAS BEEN SEIZEDfiles which clearly indicates that the banner was extracted from an archiveppRansomware expert Fabian Wosar told BleepingComputer that the ransomware gang simply setup a Python SimpleHTTPServer to serve the fake bannerppSo they simply saved the takedown notice from the old leak site and spun up a Python HTTP server to serve it under their new leak site Lazy Fabian Wosar told BleepingComputerppAdditionally Wosar says that his contacts at Europol an the NCA declined any sort of involvement in seizing the ALPHV ransomware siteppDespite NCAs statement and evidence that the banner on the leak site is not the result of law enforcement activity ALPHV told BleepingComputer that their infrastructure was seizedppRumors of a possible exit scam from ALPHV started when a longtime ALPHV partner a socalled Notchy claimed that the gang had closed their account and robbed them of a 22 million payment from the ransom allegedly paid by Optum for the Change Healthcare attackppAs proof of their claim the affiliate shared a cryptocurrency payment address that recorded only one incoming transfer of 350 bitcoins about 23 million from a wallet that appears to have been used specifically for this transaction on March 2ndppAfter getting the funds the recipient address that allegedly belongs to ALPHV operators distributed the bitcoins to various wallets in equal transactions of about 33 millionppIt is worth noting that while the recipient address is now empty it shows that it received and sent close to 94 million ppWith claims from affiliates not getting paid a sudden shut down of the infrastructure cutting ties with multiple affiliates the GG message on Tox announcing that theyre selling the malware source code and especially pretending that the FBI took control of their websites all this is a cleart indication that ALPHVBlackCat ransomware administrators are exit scammingppThe operators of BlackCat have been involved in ransomware since at least 2020 first launching as DarkSide in August 2020 as a ransomwareasaservice RaaS operationppA RaaS is when core operators develop a ransomware encryptor and negotiation sites and recruit affiliates to use their tools to conduct ransomware attacks and steal datappAfter a ransom is paid the operators split the ransom payment with affiliates and their teams usually receiving 7080 of the payment and the operation receiving the restppAfter their widely publicized attack on Colonial Pipeline the threat actors shut down the DarkSide operation in May 2021 under intense pressure from global law enforcementppWhile ransomware gangs were already under scrutiny by law enforcement the attack on Colonial Pipeline was a tipping point for governments worldwide who began prioritizing targeting these cybercrime operationsppInstead of staying away the operators launched a new ransomware operation called BlackMatter on July 31st 2021 However the cybercriminals quickly shut down again in November 2021 after Emsisoft exploited a weakness to create a decryptor and servers were seizedppInstead of learning from their mistakes the ransomware operators returned in November 2021 this time under the name BlackCat or ALPHVppWhile the gangs official name is ALPHV it was not known at the time so researchers called it BlackCat based on the small icon of a black cat used on every victims negotiation siteppSince then the ransomware gang has continuously evolved its extortion tactics taking the unusual approach of partnering with Englishspeaking affiliatesppHowever last year the threat actors grew increasingly toxic working with affiliates who threatened physical harm posting nude photos from stolen data and aggressively calling out victimsppWith this new extortion strategy the ransomware gang was firmly planted in the crosshairs of law enforcementppIn December 2023 an international law enforcement operation seized the ransomware gangs Tor negotiation and data leak sitesppThe FBI also announced that they had hacked BlackCats servers and quietly collected information on the cybercriminals while obtaining decryptors to allow victims to recover their files for freeppInstead of shutting down the ransomware gang continued their activities vowing to retaliate against the US government by attacking critical infrastructureppNever learning from their past mistakes the ransomware gang once again conducted an attack that went too far putting the full scrutiny of global law enforcement on their operationppFirst it was Colonial Pipeline in 2020 and now its the attack on UnitedHealth Groups Change Healthcare The Change Healthcare attack has significantly impacted the US healthcare system after systems used by pharmacies and doctors to file claims with insurance companies were disruptedppThis disruption has led to realworld consequences for US patients who can no longer use discount cards or receive medications under their normal insurance plans forcing them to temporarily pay full price for critical medicationsppThe threat actors also claimed to have stolen 6 TB of data from Change Healthcare containing the healthcare information for millions of US citizensppAfter receiving an alleged 22 million ransom payment from Change Healthcare to not leak data and receive the decryptor an affiliate claimed the BlackCat operators stole their moneyppHowever instead of being disrupted by law enforcement the operation has once again shut down pulling an exit scamppAt this point it is unclear if the ransomware gang will return under a new name However one thing is sure their reputation has been significantly tarnished making it doubtful affiliates would want to work with them in the futureppUpdate March 6 1053 Article updated with comment from Europol denying any involvement in a recent disruption of ALPHV ransomware infrastructureppChange Healthcare hacked using stolen Citrix account with no MFAppChange Healthcare lists the medical data stolen in ransomware attackppCDK Global outage caused by BlackSuit ransomware attackppRafel RAT targets outdated Android phones in ransomware attacksppLinux version of RansomHub ransomware targets VMware ESXi VMsppIs there no honor among thieves Im shocked reallyppSounds like a huge exit scam to meppthe feds screwed us over
Sorry am I supposed to feel bad about this Its like a bank robber whining about the security guard stopping them It was going great until the security guard screwed me overppThings are looking good recently operations seized hackers being rekt and the good ol exit scamsppThis is MY favourite
Rumors of a possible exit scam from ALPHV started when a longtime ALPHV partner a socalled Notchy claimed that the gang had closed their account and robbed them of a 22 million payment from the ransom allegedly paid by Optum for the Change Healthcare attack
So you contracted a scammer to scam and you got scammed
How surprisingppNot a member yet Register NowppCDK Global outage caused by BlackSuit ransomware attackppRafel RAT targets outdated Android phones in ransomware attacksppMalwarebytes AntiMalwareppSpeccyppPuTTYppBitDefender Uninstall ToolppMalwarebytes Support ToolppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2024 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
Sorry am I supposed to feel bad about this Its like a bank robber whining about the security guard stopping them It was going great until the security guard screwed me overppThings are looking good recently operations seized hackers being rekt and the good ol exit scamsppThis is MY favourite
Rumors of a possible exit scam from ALPHV started when a longtime ALPHV partner a socalled Notchy claimed that the gang had closed their account and robbed them of a 22 million payment from the ransom allegedly paid by Optum for the Change Healthcare attack
So you contracted a scammer to scam and you got scammed
How surprisingppNot a member yet Register NowppCDK Global outage caused by BlackSuit ransomware attackppRafel RAT targets outdated Android phones in ransomware attacksppMalwarebytes AntiMalwareppSpeccyppPuTTYppBitDefender Uninstall ToolppMalwarebytes Support ToolppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2024 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
