ALPHV/BlackCat, infamous for its attacks using Monitoring Programs, has abruptly halted its activities, sparking widespread speculation across the network. The events unfolded following accusations leveled against group members of fraud against an affiliate responsible for the attack on platform operator Change Healthcare – Optum.
The BlackCat data leak suddenly became inaccessible starting from March 1, when the negotiation sites for ransom were still operational over the weekend. However, it was later confirmed that even the negotiation sites had ceased to function.
A brief message appeared on the TOX message platform used by cybercriminals stating “Everything is turned off, solved.” The reason for this shutdown remains unclear, whether it was a decision by the group’s representatives, a technical failure, or an intentional disconnection of the infrastructure.
Change Healthcare is a payment platform in the US health system connecting doctors, pharmacies, medical service providers, and patients, whose previous hacking incident was attributed to Alphv.
Reportedly, Optum, closely linked to Change Healthcare, allegedly paid $22 million to prevent the spread of stolen data and to obtain a decryption key. However, the ALPHV/Blackcat group removed the affiliated individual from the operation and claimed the ransom for themselves.
The affected affiliate even published a separate message on the underground forum RAMP detailing the events, cautioning other hackers to reconsider collaborating with Alphv due to the risk of being betrayed despite fulfilling their duties as an affiliate.
Cybercrime operations like Alphv and Lockbit continue unabated due to numerous affiliates carrying out attacks on behalf of the main group, with ransom proceeds divided between them and the leadership.
An alleged ALPHV affiliate known as “NOTCHY” claims to still possess 4 TB of “critical data” from Optum, describing it as production data that could impact all Change Healthcare and Optum customers, possibly hinting at releasing the data to tarnish Alphv’s reputation as an extortion group unless payment is made.
Alphv/Blackcat, originally operating as Darkside in 2020, has weathered several reboots and was notorious for targeting critical infrastructures such as the Colonial Pipeline attack, which caused panic and a fuel shortage in the USA.
Following law enforcement operations, the group has rebranded multiple times, suggesting that this situation may result in yet another reboot for the group.