Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout

The group responsible for the BlackCat ransomware has abruptly shut down its darknet website, raising suspicions of an exit scam after posting a counterfeit law enforcement seizure notice.

Security researcher Fabian Wosar pointed out that the BlackCat operation did not appear to be genuinely seized, alleging it was an exit scam orchestrated by the operators. He highlighted discrepancies in the source code of the supposed takedown notice, indicating it was not authentic.

The U.K.’s National Crime Agency (NCA) has distanced itself from any involvement in disrupting BlackCat’s infrastructure, as reported by Reuters.

Screenshots shared by Recorded Future’s Dmitry Smilyanets on the X social media platform revealed statements from the BlackCat actors blaming law enforcement for their troubles and expressing intentions to sell the ransomware’s source code for $5 million.

This development follows allegations that BlackCat received a hefty $22 million ransom payment from UnitedHealth’s Change Healthcare unit (Optum) but refused to share the profits with an affiliate involved in the attack.

UnitedHealth has refrained from commenting on the reported ransom payment, focusing solely on investigating and recovering from the incident.

Reports surfaced on the RAMP cybercrime forum from a disgruntled affiliate, alleging that BlackCat’s administrative staff emptied their wallet and absconded with the money.

Speculation is rife that BlackCat orchestrated an exit scam to evade detection and reemerge under a new identity. A former admin of the ransomware group hinted at a pending rebranding.

Menlo Security, citing sources with direct contact to the affiliate, suggested that the affiliate, known as Notchy, may have ties to Chinese nation-state groups and has been active in ransomware discussions on the RAMP forum since 2021.

BlackCat previously faced a law enforcement seizure of its infrastructure in December 2023 but managed to regain control of its servers and resume operations without significant repercussions. The group, previously operating under aliases like DarkSide and BlackMatter, has been fraught with internal concerns about potential infiltrators.

Security advisor Malachi Walker speculated that BlackCat’s actions could stem from fears of internal leaks or simply be a ploy to capitalize on the current cryptocurrency boom.

In related developments, VX-Underground reported that the LockBit ransomware operation has ceased support for Lockbit Red and StealBit tools, while Trend Micro revealed the expanding reach of the RA World ransomware family into various sectors across multiple countries since its emergence in April 2023.

Join our internship: viehgroup.com/tci

Leave a Comment

Your email address will not be published. Required fields are marked *